Authority Document - Unified Compliance

Asia > The National Assembly of the Republic of Korea

Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016

AD ID

0003437

AD STATUS

Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016

ORIGINATOR

The National Assembly of the Republic of Korea

TYPE

Regulation or Statute

AVAILABILITY

Free

SYNONYMS

Act On Promotion of Information and Communications Network Utilization and Information Protection

EFFECTIVE

Varies

ADDED

The document as a whole was last reviewed and released on 2022-04-12T00:00:00-0700.

URL

Click here

AD ID

0003437

AD STATUS

Free

ORIGINATOR

The National Assembly of the Republic of Korea

TYPE

Regulation or Statute

AVAILABILITY

SYNONYMS

Act On Promotion of Information and Communications Network Utilization and Information Protection

EFFECTIVE

Varies

ADDED

The document as a whole was last reviewed and released on 2022-04-12T00:00:00-0700.

URL

Click here

Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.

Common Controls and
mandates by Impact Zone 190 Mandated Controls - bold
114 Implied Controls - italic 2101 Implementation

Number of Controls

2405 Total

Acquisition or sale of facilities, technology, and services

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Acquisition or sale of facilities, technology, and services CC ID 01123	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538	Business Processes	Preventive
Establish, implement, and maintain an electronic commerce program. CC ID 08617	Business Processes	Preventive
Establish, implement, and maintain payment transaction security measures. CC ID 13088 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A plan for protection of users of telecommunications billing services; Article 53(1)(2) Every provider of telecommunications billing services shall perform his or her duty to pay attention as a good manager so that telecommunications billing services may be provided in a safe manner. Article 57(1)]	Technical Security	Preventive
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349	Business Processes	Preventive
Restrict transaction activities, as necessary. CC ID 16334	Business Processes	Preventive
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687	Communicate	Preventive
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683	Business Processes	Preventive
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682	Business Processes	Preventive
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671	Business Processes	Preventive
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182	Establish/Maintain Documentation	Preventive
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108	Business Processes	Preventive
Encrypt electronic commerce transactions and messages. CC ID 08621	Configuration	Preventive
Protect the integrity of application service transactions. CC ID 12017	Business Processes	Preventive
Include required information in electronic commerce transactions and messages. CC ID 15318	Data and Information Management	Preventive
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566	Business Processes	Preventive
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571	Communicate	Preventive
Bill and settle electronic commerce transactions. CC ID 08622	Business Processes	Preventive
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Date and time telecommunications billing services are used; Article 58(1)(1) When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Amount purchased/used through telecommunications billing services and details thereof; Article 58(1)(3) A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)]	Data and Information Management	Preventive
Correct billing and settlement errors. CC ID 08623 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)]	Business Processes	Corrective
Withhold payment and settlement functions, as necessary. CC ID 15460 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)]	Business Processes	Preventive
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Where a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) provides telecommunications billing services or increases the upper limits of use, it shall obtain consent from a user of the relevant telecommunications billing services in advance. Article 58(5)]	Behavior	Preventive

Audits and risk management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Audits and risk management CC ID 00677	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a risk management program. CC ID 12051	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Establish/Maintain Documentation	Preventive
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)]	Establish/Maintain Documentation	Corrective
Review and approve the risk assessment findings. CC ID 06485	Establish/Maintain Documentation	Preventive

Human Resources management

194

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Human Resources management CC ID 00763	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Establish Roles	Preventive
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1) A provider of information and communications services may establish and operate an association of chief information protection officers comprised of chief information protection officers prescribed in paragraph (1) in order to jointly perform prevention/response in cases of intrusion, sharing necessary information and other joint programs prescribed by Presidential Decree. Article 45-3(4)]	Establish Roles	Preventive
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree shall designate a person responsible for protection of juvenile to keep juvenile from unwholesome information to juvenile in the information and communication network. Article 42-3(1) The person responsible for protection of juvenile shall be chosen from among executive officers of the relevant business operator or the persons in a position equivalent to the head of a department responsible for business affairs related to protection of juvenile. Article 42-3(2)]	Establish Roles	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources Management	Preventive
Identify and define all critical roles. CC ID 00777	Establish Roles	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Every provider of information and communications services or similar shall designate a person responsible for protection of personal information so that he or she protects the personal information of users and process complaints from users in connection with the personal information: Provided, That a provider of information and communications services or similar may, if he or she falls under the criteria prescribed by Presidential Decree for the number of employees, number of users, and other related matters, omit such designation. Article 27(1) If a provider of information and communications services or similar does not designate a person responsible for protection of personal information under the proviso to paragraph (1), the business owner or representative of the provider or similar shall be the person responsible for protection of personal information. Article 27(2)]	Establish Roles	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources Management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources Management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources Management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Establish Roles	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources Management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Establish Roles	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)]	Establish/Maintain Documentation	Preventive
Categorize the gender of all employees. CC ID 15609	Human Resources Management	Preventive
Categorize all employees by racial groups and ethnic groups. CC ID 15627	Human Resources Management	Preventive
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822	Human Resources Management	Preventive
Establish and maintain Personnel Files for all employees. CC ID 12438	Human Resources Management	Preventive
Include credit check results in each employee's personnel file. CC ID 12447	Human Resources Management	Preventive
Include any criminal records in each employee's personnel file. CC ID 12446	Human Resources Management	Preventive
Include all employee information in each employee's personnel file. CC ID 12445	Human Resources Management	Preventive
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444	Human Resources Management	Preventive
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441	Human Resources Management	Preventive
Include referral follow-up results in each employee's personnel file. CC ID 12440	Human Resources Management	Preventive
Include background check results in each employee's personnel file. CC ID 12439	Human Resources Management	Preventive
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760	Establish/Maintain Documentation	Preventive
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761	Human Resources Management	Preventive
Require all new hires to sign the Code of Conduct. CC ID 06665	Establish/Maintain Documentation	Preventive
Require all new hires to sign Acceptable Use Policies. CC ID 06662	Establish/Maintain Documentation	Preventive
Require new hires to sign nondisclosure agreements. CC ID 06668	Establish/Maintain Documentation	Preventive
Train all new hires, as necessary. CC ID 06673	Behavior	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personnel security policy. CC ID 14025	Establish/Maintain Documentation	Preventive
Include compliance requirements in the personnel security policy. CC ID 14154	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the personnel security policy. CC ID 14114	Establish/Maintain Documentation	Preventive
Include management commitment in the personnel security policy. CC ID 14113	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the personnel security policy. CC ID 14112	Establish/Maintain Documentation	Preventive
Include the scope in the personnel security policy. CC ID 14111	Establish/Maintain Documentation	Preventive
Include the purpose in the personnel security policy. CC ID 14110	Establish/Maintain Documentation	Preventive
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personnel security procedures. CC ID 14058	Establish/Maintain Documentation	Preventive
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141	Communicate	Preventive
Establish, implement, and maintain security clearance level criteria. CC ID 00780	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain staff position risk designations. CC ID 14280	Human Resources Management	Preventive
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782	Testing	Detective
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources Management	Detective
Assign security clearance procedures to qualified personnel. CC ID 06812	Establish Roles	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Establish Roles	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Establish/Maintain Documentation	Preventive
Perform a background check during personnel screening. CC ID 11758	Human Resources Management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources Management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Establish/Maintain Documentation	Preventive
Include all residences in the criminal records check. CC ID 13306	Process or Activity	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Establish/Maintain Documentation	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources Management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources Management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Establish/Maintain Documentation	Preventive
Perform a drug test during personnel screening. CC ID 06648	Testing	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources Management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources Management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources Management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Communicate	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources Management	Preventive
Document the personnel risk assessment results. CC ID 11764	Establish/Maintain Documentation	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783	Establish/Maintain Documentation	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources Management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources Management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources Management	Preventive
Document the security clearance procedure results. CC ID 01635	Establish/Maintain Documentation	Detective
Identify and watch individuals that pose a risk to the organization. CC ID 10674	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Establish/Maintain Documentation	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Technical Security	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826	Technical Security	Corrective
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources Management	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Data and Information Management	Corrective
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources Management	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Behavior	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Communicate	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources Management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources Management	Corrective
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Behavior	Preventive
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources Management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Establish/Maintain Documentation	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources Management	Detective
Train all personnel and third parties, as necessary. CC ID 00785 [A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)]	Behavior	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671	Business Processes	Preventive
Support certification programs as viable training programs. CC ID 13268	Human Resources Management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Establish/Maintain Documentation	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Establish/Maintain Documentation	Preventive
Submit applications for professional certification. CC ID 16192	Training	Preventive
Retrain all personnel, as necessary. CC ID 01362	Behavior	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Behavior	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Behavior	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Behavior	Preventive
Document all training in a training record. CC ID 01423	Establish/Maintain Documentation	Detective
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Behavior	Preventive
Conduct tests and evaluate training. CC ID 06672	Testing	Detective
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources Management	Preventive
Review the current published guidance and awareness and training programs. CC ID 01245	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Establish/Maintain Documentation	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Training	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Training	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Training	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Training	Detective
Develop or acquire content to update the training plans. CC ID 12867	Training	Preventive
Designate training facilities in the training plan. CC ID 16200	Training	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Establish/Maintain Documentation	Preventive
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources Management	Preventive
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Training	Preventive
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources Management	Preventive
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Training	Preventive
Include risk management in the training plan, as necessary. CC ID 13040	Training	Preventive
Conduct Archives and Records Management training. CC ID 00975	Behavior	Preventive
Conduct personal data processing training. CC ID 13757	Training	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Training	Preventive
Include the cloud service usage standard in the training plan. CC ID 13039	Training	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Establish/Maintain Documentation	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Establish/Maintain Documentation	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Communicate	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Establish/Maintain Documentation	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Establish/Maintain Documentation	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Establish/Maintain Documentation	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Establish/Maintain Documentation	Preventive
Include media protection in the security awareness program. CC ID 16368	Training	Preventive
Document security awareness requirements. CC ID 12146	Establish/Maintain Documentation	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Establish/Maintain Documentation	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Establish/Maintain Documentation	Preventive
Include physical security in the security awareness program. CC ID 16369	Training	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Establish/Maintain Documentation	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Training	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Training	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Training	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Training	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Establish/Maintain Documentation	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Establish/Maintain Documentation	Preventive
Include remote access in the security awareness program. CC ID 13892	Establish/Maintain Documentation	Preventive
Document the goals of the security awareness program. CC ID 12145	Establish/Maintain Documentation	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Establish/Maintain Documentation	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources Management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources Management	Preventive
Document the scope of the security awareness program. CC ID 12148	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Establish/Maintain Documentation	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources Management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Behavior	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Behavior	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Training	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Establish/Maintain Documentation	Preventive
Monitor and measure the effectiveness of security awareness. CC ID 06262	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Establish/Maintain Documentation	Preventive
Conduct secure coding and development training for developers. CC ID 06822	Behavior	Corrective
Conduct tampering prevention training. CC ID 11875	Training	Preventive
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Training	Preventive
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Training	Preventive
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Training	Preventive
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Training	Preventive
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Training	Preventive
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Training	Preventive
Conduct crime prevention training. CC ID 06350	Behavior	Preventive
Analyze and evaluate training records to improve the training program. CC ID 06380	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable way. Article 44-4 ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649	Establish/Maintain Documentation	Preventive
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720	Establish/Maintain Documentation	Preventive
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719	Behavior	Preventive
Include classifications of ethics violations in the Code of Conduct. CC ID 14769	Establish/Maintain Documentation	Preventive
Include definitions of ethics violations in the Code of Conduct. CC ID 14768	Establish/Maintain Documentation	Preventive
Include exercising due professional care in the Code of Conduct. CC ID 14210	Establish/Maintain Documentation	Preventive
Include health and safety provisions in the Code of Conduct. CC ID 16206	Establish/Maintain Documentation	Preventive
Include organizational values in the Code of Conduct. CC ID 12919	Process or Activity	Preventive
Include key policies in the Code of Conduct. CC ID 12890	Establish/Maintain Documentation	Preventive
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209	Establish/Maintain Documentation	Preventive
Include the vision statement in the Code of Conduct. CC ID 12889	Establish/Maintain Documentation	Preventive
Include the organization's mission in the Code of Conduct. CC ID 12875	Establish/Maintain Documentation	Preventive
Include classifications of desired conduct in the Code of Conduct. CC ID 12851	Establish/Maintain Documentation	Preventive
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029	Human Resources Management	Preventive
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209	Establish/Maintain Documentation	Preventive
Include social responsibility criteria in the Code of Conduct. CC ID 16210	Establish/Maintain Documentation	Preventive
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580	Establish/Maintain Documentation	Preventive
Include labor rights criteria in the Code of Conduct. CC ID 16208	Establish/Maintain Documentation	Preventive
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701	Establish/Maintain Documentation	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442	Behavior	Corrective
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632	Communicate	Preventive
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898	Establish/Maintain Documentation	Detective
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846	Establish/Maintain Documentation	Preventive
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855	Establish/Maintain Documentation	Preventive
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854	Establish/Maintain Documentation	Preventive
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435	Behavior	Preventive
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664	Establish/Maintain Documentation	Preventive
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an ethics program. CC ID 11496	Human Resources Management	Preventive
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within speculative activities prohibited by statutes; Article 44-7(1)(6) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that commits an activity prohibited by the National Security Act; Article 44-7(1)(8) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Other information with a content that attempts, aids, or abets to commit a crime. Article 44-7(1)(9) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that arouses fear or apprehension by reaching other persons repeatedly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(3)]	Communicate	Preventive

Leadership and high level objectives

201

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Business Processes	Preventive
Establish, implement, and maintain an external reporting program. CC ID 12876 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1)]	Communicate	Preventive
Provide identifying information about the organization to the responsible party. CC ID 16715	Communicate	Preventive
Identify the material topics required to be reported on. CC ID 15654	Business Processes	Preventive
Check the list of material topics for completeness. CC ID 15692	Investigate	Preventive
Prioritize material topics used in reporting. CC ID 15678	Communicate	Preventive
Review and approve the material topics, as necessary. CC ID 15670	Process or Activity	Preventive
Define the thresholds for reporting in the external reporting program. CC ID 15679	Establish/Maintain Documentation	Preventive
Include time requirements in the external reporting program. CC ID 16566	Communicate	Preventive
Include information about the organizational culture in the external reporting program. CC ID 15610	Establish/Maintain Documentation	Preventive
Include reporting to governing bodies in the external reporting plan. CC ID 12923 [{relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)]	Communicate	Preventive
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592	Communicate	Preventive
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594	Establish/Maintain Documentation	Preventive
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595	Establish/Maintain Documentation	Preventive
Include the information that was omitted in the confidential treatment application. CC ID 16593	Establish/Maintain Documentation	Preventive
Analyze organizational objectives, functions, and activities. CC ID 00598	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A business plan. Article 53(1)(4)]	Establish/Maintain Documentation	Preventive
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814	Process or Activity	Preventive
Identify events that may affect organizational objectives. CC ID 12961	Process or Activity	Preventive
Identify conditions that may affect organizational objectives. CC ID 12958	Process or Activity	Preventive
Identify requirements that could affect achieving organizational objectives. CC ID 12828	Business Processes	Preventive
Identify opportunities that could affect achieving organizational objectives. CC ID 12826	Business Processes	Preventive
Prioritize organizational objectives. CC ID 09960	Business Processes	Preventive
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400	Business Processes	Preventive
Establish, implement, and maintain a value generation model. CC ID 15591	Establish/Maintain Documentation	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Communicate	Preventive
Include value distribution in the value generation model. CC ID 15603	Establish/Maintain Documentation	Preventive
Include value retention in the value generation model. CC ID 15600	Establish/Maintain Documentation	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain value generation objectives. CC ID 15583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Establish/Maintain Documentation	Preventive
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783	Establish/Maintain Documentation	Preventive
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839	Establish/Maintain Documentation	Preventive
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838	Establish/Maintain Documentation	Preventive
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808	Establish/Maintain Documentation	Preventive
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807	Establish/Maintain Documentation	Preventive
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Establish/Maintain Documentation	Preventive
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Establish/Maintain Documentation	Preventive
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Communicate	Preventive
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191	Communicate	Preventive
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398	Establish/Maintain Documentation	Preventive
Identify threats that could affect achieving organizational objectives. CC ID 12827	Business Processes	Preventive
Identify how opportunities, threats, and external requirements are trending. CC ID 12829	Process or Activity	Preventive
Identify relationships between opportunities, threats, and external requirements. CC ID 12805	Process or Activity	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005	Business Processes	Preventive
Establish, implement, and maintain a financial management program. CC ID 13228 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Financial soundness; Article 53(1)(1)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain funds transfer procedures. CC ID 16754	Establish/Maintain Documentation	Preventive
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761	Communicate	Preventive
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760	Business Processes	Preventive
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759	Business Processes	Preventive
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758	Business Processes	Preventive
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757	Investigate	Detective
Attach the required information to each funds transfer. CC ID 16756	Business Processes	Preventive
Verify all required information is attached to each funds transfer. CC ID 16755	Business Processes	Detective
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738	Business Processes	Preventive
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750	Testing	Preventive
Include communication protocols in the financial management program. CC ID 16763	Establish/Maintain Documentation	Preventive
Include ongoing monitoring in the financial management program. CC ID 16762	Process or Activity	Preventive
Employ tools to manage settlement and funding flows. CC ID 16743	Process or Activity	Preventive
Refrain from setting up anonymous financial accounts. CC ID 16721	Business Processes	Preventive
Identify and maintain positions in financial accounts. CC ID 16751	Business Processes	Preventive
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717	Establish/Maintain Documentation	Preventive
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694	Process or Activity	Preventive
Establish, implement, and maintain financial resource management procedures. CC ID 16642	Establish/Maintain Documentation	Preventive
Document the rationale for the amount of financial resources being held. CC ID 16688	Establish/Maintain Documentation	Preventive
Supplement financial resources, as necessary. CC ID 16685	Business Processes	Preventive
Establish, implement, and maintain collateral procedures. CC ID 16653	Establish/Maintain Documentation	Preventive
Include the use of appropriate models in the collateral procedures. CC ID 16687	Establish/Maintain Documentation	Preventive
Define the collateral requirements in the collateral procedures. CC ID 16686	Establish/Maintain Documentation	Preventive
Test the collateral requirements for appropriateness. CC ID 16681	Testing	Preventive
Limit the types of assets accepted as collateral. CC ID 16602	Business Processes	Preventive
Avoid the use of concentrated holdings of assets. CC ID 16651	Business Processes	Preventive
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644	Testing	Preventive
Include stress scenarios in the stress test plan. CC ID 16659	Testing	Preventive
Analyze the effectiveness of the stress test plan. CC ID 16657	Process or Activity	Detective
Perform stress testing in accordance with the stress test plan. CC ID 16652	Testing	Preventive
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630	Communicate	Preventive
Identify and document the financial resources available for use. CC ID 16643	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain credit loss procedures. CC ID 16683	Establish/Maintain Documentation	Preventive
Include the allocation of credit losses in the credit loss procedures. CC ID 16684	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a securities trading program. CC ID 16626	Business Processes	Preventive
Include fairness and equitability standards in the securities trading program. CC ID 16690	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the securities trading program. CC ID 16689	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a capital restoration plan. CC ID 16613	Establish/Maintain Documentation	Preventive
Include performance guarantees in the capital restoration plan. CC ID 16616	Establish/Maintain Documentation	Preventive
Include corrective actions taken in the capital restoration plan. CC ID 16612	Establish/Maintain Documentation	Preventive
Include required information in the capital restoration plan. CC ID 16609	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain valuation procedures. CC ID 16634	Establish/Maintain Documentation	Preventive
Include investment information in approval requests for investments. CC ID 16590	Business Processes	Preventive
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain lending policies. CC ID 16608	Establish/Maintain Documentation	Preventive
Align the lending policy with the organization's risk acceptance level. CC ID 16716	Process or Activity	Preventive
Include the requirements for risk assessments in the lending policy. CC ID 16730	Establish/Maintain Documentation	Preventive
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728	Establish/Maintain Documentation	Preventive
Include the requirements for feasibility studies in the lending policy. CC ID 16726	Establish/Maintain Documentation	Preventive
Include pricing structures in the lending policy. CC ID 16724	Establish/Maintain Documentation	Preventive
Include monitoring requirements in the lending policy. CC ID 16710	Establish/Maintain Documentation	Preventive
Include loan origination procedures in the lending policy. CC ID 16709	Establish/Maintain Documentation	Preventive
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708	Establish/Maintain Documentation	Preventive
Include loan requirements in the lending policy. CC ID 16706	Establish/Maintain Documentation	Preventive
Include appraisals and evaluations in the lending policy. CC ID 16705	Establish/Maintain Documentation	Preventive
Include terms and conditions in the lending policy. CC ID 16695	Establish/Maintain Documentation	Preventive
Include the scope and distribution of loans in the lending policy. CC ID 16693	Establish/Maintain Documentation	Preventive
Include geographic areas in the lending policy. CC ID 16691	Establish/Maintain Documentation	Preventive
Include underwriting guidelines in the lending policy. CC ID 16619	Establish/Maintain Documentation	Preventive
Include credit review in the underwriting guidelines. CC ID 16765	Establish/Maintain Documentation	Preventive
Include loan-to-value ratio limits in the lending policy. CC ID 16618	Establish/Maintain Documentation	Preventive
Include documentation requirements in the lending policy. CC ID 16617	Establish/Maintain Documentation	Preventive
Include the purpose of the loan in the loan documentation. CC ID 16747	Establish/Maintain Documentation	Preventive
Include the source of repayment in the loan documentation. CC ID 16746	Establish/Maintain Documentation	Preventive
Include approval requirements in the lending policy. CC ID 16615	Establish/Maintain Documentation	Preventive
Include reporting requirements in the lending policy. CC ID 16614	Establish/Maintain Documentation	Preventive
Include loan portfolio diversification standards in the lending policy. CC ID 16611	Establish/Maintain Documentation	Preventive
Include loan administration procedures in the lending policy. CC ID 16610	Establish/Maintain Documentation	Preventive
Include loan participation agreements in the loan administration procedures. CC ID 16745	Establish/Maintain Documentation	Preventive
Include termination procedures in the loan participation agreement. CC ID 16753	Establish/Maintain Documentation	Preventive
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752	Establish/Maintain Documentation	Preventive
Include servicing agreements in the loan administration procedures. CC ID 16744	Establish/Maintain Documentation	Preventive
Include claims processing in the loan administration procedures. CC ID 16742	Establish/Maintain Documentation	Preventive
Include forbearance management in the loan administration procedures. CC ID 16741	Establish/Maintain Documentation	Preventive
Include foreclosure management in the loan administration procedures. CC ID 16740	Establish/Maintain Documentation	Preventive
Include delinquency management in the loan administration procedures. CC ID 16739	Establish/Maintain Documentation	Preventive
Include customer due diligence in the loan administration procedures. CC ID 16736	Process or Activity	Preventive
Include the requirements for financial statements in the loan administration procedures. CC ID 16735	Establish/Maintain Documentation	Preventive
Include loan closing in the loan administration procedures. CC ID 16734	Establish/Maintain Documentation	Preventive
Include payoff statements in the loan administration procedures. CC ID 16733	Establish/Maintain Documentation	Preventive
Include payment processing in the loan administration procedures. CC ID 16732	Establish/Maintain Documentation	Preventive
Include loan reviews in the loan administration procedures. CC ID 16703	Establish/Maintain Documentation	Preventive
Include collections in the loan administration procedures. CC ID 16701	Establish/Maintain Documentation	Preventive
Include collateral inspections in the loan administration procedures. CC ID 16699	Establish/Maintain Documentation	Preventive
Include disbursements in the loan administration procedures. CC ID 16697	Establish/Maintain Documentation	Preventive
Review and approve lending policies. CC ID 16607	Business Processes	Preventive
Establish, implement, and maintain a dividend policy. CC ID 16569	Establish/Maintain Documentation	Preventive
Include compliance requirements in the dividend policy. CC ID 16570	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain margin systems. CC ID 16601	Business Processes	Preventive
Include valuation models in the margin system. CC ID 16663	Data and Information Management	Preventive
Include procedures for collecting price data in the margin system. CC ID 16662	Data and Information Management	Preventive
Include reliable sources for price data in the margin system. CC ID 16661	Data and Information Management	Preventive
Validate the margin system on a regular basis. CC ID 16660	Testing	Detective
Assess the properties of the margin model used in the margin system. CC ID 16658	Process or Activity	Detective
Monitor the performance of the margin system. CC ID 16655	Monitor and Evaluate Occurrences	Detective
Analyze the performance of the margin system. CC ID 16654	Process or Activity	Detective
Establish, implement, and maintain capital adequacy measures. CC ID 16568	Business Processes	Preventive
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564	Establish/Maintain Documentation	Preventive
Determine the amount of assets to be held in escrow. CC ID 16575	Investigate	Detective
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565	Communicate	Preventive
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279	Establish/Maintain Documentation	Preventive
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764	Establish/Maintain Documentation	Preventive
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692	Establish/Maintain Documentation	Preventive
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631	Establish/Maintain Documentation	Preventive
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640	Data and Information Management	Preventive
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650	Data and Information Management	Preventive
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639	Data and Information Management	Preventive
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645	Data and Information Management	Preventive
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638	Data and Information Management	Preventive
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637	Data and Information Management	Preventive
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636	Data and Information Management	Preventive
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635	Data and Information Management	Preventive
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633	Data and Information Management	Preventive
Include account information In the recordkeeping system for securities transactions. CC ID 16632	Data and Information Management	Preventive
Establish, implement, and maintain securities transaction notifications. CC ID 16600	Establish/Maintain Documentation	Preventive
Include the call date in the securities transaction notification. CC ID 16680	Establish/Maintain Documentation	Preventive
Include service charges and commissions in the securities transaction notification. CC ID 16702	Establish/Maintain Documentation	Preventive
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679	Establish/Maintain Documentation	Preventive
Include the call price in the securities transaction notification. CC ID 16678	Establish/Maintain Documentation	Preventive
Include debits and credits in the securities transaction notification. CC ID 16677	Establish/Maintain Documentation	Preventive
Include transactions in the securities transaction notification. CC ID 16676	Establish/Maintain Documentation	Preventive
Include the credit rating of securities in the securities transaction notification. CC ID 16674	Establish/Maintain Documentation	Preventive
Include yield information in the securities transaction notification. CC ID 16673	Establish/Maintain Documentation	Preventive
Include redemption information in the securities transaction notification. CC ID 16672	Establish/Maintain Documentation	Preventive
Include the price calculated from the yield in the securities transaction notification. CC ID 16669	Establish/Maintain Documentation	Preventive
Include the type of call in the securities transaction notification. CC ID 16668	Establish/Maintain Documentation	Preventive
Include an account statement in the securities transaction notification. CC ID 16666	Establish/Maintain Documentation	Preventive
Include the yield to maturity in the securities transaction notification. CC ID 16665	Establish/Maintain Documentation	Preventive
Include the execution price in the securities transaction notification. CC ID 16664	Establish/Maintain Documentation	Preventive
Include the organization's role in the securities transaction notification. CC ID 16646	Establish/Maintain Documentation	Preventive
Include the name of the broker in the securities transaction notification. CC ID 16647	Establish/Maintain Documentation	Preventive
Include the name of the customer in the securities transaction notification. CC ID 16625	Establish/Maintain Documentation	Preventive
Include the organization's name in the securities transaction notification. CC ID 16624	Establish/Maintain Documentation	Preventive
Include confirmations in the securities transaction notification. CC ID 16623	Establish/Maintain Documentation	Preventive
Include remunerations in the securities transaction notification. CC ID 16622	Establish/Maintain Documentation	Preventive
Include requested information in the securities transaction notification. CC ID 16641	Establish/Maintain Documentation	Preventive
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621	Communicate	Preventive
Include the execution date in the securities transaction notification. CC ID 16620	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain financial reports. CC ID 14770	Establish/Maintain Documentation	Preventive
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Establish/Maintain Documentation	Preventive
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Establish/Maintain Documentation	Preventive
Include the business need justification for lost value in the financial report. CC ID 15588	Establish/Maintain Documentation	Preventive
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Communicate	Preventive
Include financial statements in the financial report, as necessary. CC ID 14775	Establish/Maintain Documentation	Preventive
Include capital deductions and adjustments in the financial statement. CC ID 16667	Establish/Maintain Documentation	Preventive
Include earnings per share or loss per share in the financial statement. CC ID 16597	Establish/Maintain Documentation	Preventive
Include material contingencies in the financial statement. CC ID 16596	Establish/Maintain Documentation	Preventive
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Establish/Maintain Documentation	Preventive
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Establish/Maintain Documentation	Preventive
Include assets and liabilities in the call report. CC ID 16729	Establish/Maintain Documentation	Preventive
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Communicate	Preventive

Monitoring and measurement

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Monitoring and measurement CC ID 00636	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Log Management	Detective
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitor and Evaluate Occurrences	Preventive
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Installation of a systematic or technical device for preventing unlawful use of information and communications networks; Article 51(3)(1)]	Configuration	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a system security plan. CC ID 01922 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)]	Testing	Preventive
Include a system description in the system security plan. CC ID 16467	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Establish/Maintain Documentation	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Establish/Maintain Documentation	Preventive
Include the information types in the system security plan. CC ID 14696	Establish/Maintain Documentation	Preventive
Include the security requirements in the system security plan. CC ID 14274	Establish/Maintain Documentation	Preventive
Include threats in the system security plan. CC ID 14693	Establish/Maintain Documentation	Preventive
Include network diagrams in the system security plan. CC ID 14273	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Establish/Maintain Documentation	Preventive
Include remote access methods in the system security plan. CC ID 16441	Establish/Maintain Documentation	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Communicate	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Establish/Maintain Documentation	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the system security plan. CC ID 14255	Process or Activity	Preventive
Include security controls in the system security plan. CC ID 14239 [Every business operator who operates and manages clustered information and communications facilities to render information and communications services on behalf of another person (hereinafter referred to as "business operator of clustered information and communications facilities") shall take protective measures as prescribed by Presidential Decree to operate the information and communications facilities stably. Article 46(1)]	Establish/Maintain Documentation	Preventive
Create specific test plans to test each system component. CC ID 00661	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Establish/Maintain Documentation	Preventive
Include the assessment team in the test plan. CC ID 14297	Establish/Maintain Documentation	Preventive
Include the scope in the test plans. CC ID 14293	Establish/Maintain Documentation	Preventive
Include the assessment environment in the test plan. CC ID 14271	Establish/Maintain Documentation	Preventive
Approve the system security plan. CC ID 14241	Business Processes	Preventive
Adhere to the system security plan. CC ID 11640	Testing	Detective
Review the test plans for each system component. CC ID 00662	Establish/Maintain Documentation	Preventive
Validate all testing assumptions in the test plans. CC ID 00663	Testing	Detective
Document validated testing processes in the testing procedures. CC ID 06200	Establish/Maintain Documentation	Preventive
Require testing procedures to be complete. CC ID 00664	Testing	Detective
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Establish/Maintain Documentation	Preventive
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Testing	Preventive
Implement automated audit tools. CC ID 04882	Acquisition/Sale of Assets or Services	Preventive
Assign senior management to approve test plans. CC ID 13071	Human Resources Management	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Establish/Maintain Documentation	Preventive
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726	Monitor and Evaluate Occurrences	Detective
Correct compliance violations. CC ID 13515 [{problem} Where services which a provider of information and communications services provides to users under a contract for use are used for transmitting advertising information for profits, in violation of Article 50 or 50-8, the relevant provider of information and communications services shall formulate necessary measures, such as refusal to provide the relevant services or fix of problmes of information and communications networks or services. Article 50-4(4)]	Process or Activity	Corrective
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)]	Monitor and Evaluate Occurrences	Detective
Align corrective actions with the level of environmental impact. CC ID 15193	Business Processes	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Establish/Maintain Documentation	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Establish/Maintain Documentation	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Establish/Maintain Documentation	Preventive
Include monitoring in the corrective action plan. CC ID 11645	Monitor and Evaluate Occurrences	Detective

Operational and Systems Continuity

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational and Systems Continuity CC ID 00731	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a business continuity program. CC ID 13210	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [A business operator of clustered information and communications facilities shall, once the event that caused suspension of services terminates, resume its services immediately. Article 46-2(3)]	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Communicate	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Establish/Maintain Documentation	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Establish/Maintain Documentation	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Human Resources Management	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Establish/Maintain Documentation	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Establish/Maintain Documentation	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Establish/Maintain Documentation	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Establish/Maintain Documentation	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Establish/Maintain Documentation	Preventive
Determine the cause for the activation of the recovery plan. CC ID 13291	Investigate	Detective
Test the recovery plan, as necessary. CC ID 13290	Testing	Detective
Test the backup information, as necessary. CC ID 13303	Testing	Detective
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Establish/Maintain Documentation	Detective
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Communicate	Preventive
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Establish/Maintain Documentation	Preventive
Include purchasing insurance in the continuity plan. CC ID 00762	Establish/Maintain Documentation	Preventive
Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 [Every business operator of clustered information and communications facilities shall purchase insurance policies as prescribed by Presidential Decree to cover damages that may be caused by destruction or damage of the clustered information and communications facilities or any other trouble in operation. Article 46(2)]	Acquisition/Sale of Assets or Services	Preventive

Operational management

293

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Operational management CC ID 00805	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Establishment and implementation of an internal control plan for managing personal information in a safe way; Article 28(1)(1)]	Establish/Maintain Documentation	Preventive
Define the scope for the internal control framework. CC ID 16325	Business Processes	Preventive
Review the relevance of information supporting internal controls. CC ID 12420	Business Processes	Detective
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Actionable Reports or Measurements	Corrective
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Establish Roles	Preventive
Assign resources to implement the internal control framework. CC ID 00816	Business Processes	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Establish Roles	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Business Processes	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Establish/Maintain Documentation	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Establish/Maintain Documentation	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Business Processes	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Establish/Maintain Documentation	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Establish/Maintain Documentation	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Establish/Maintain Documentation	Preventive
Automate threat assessments, as necessary. CC ID 06877	Configuration	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Establish/Maintain Documentation	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Configuration	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Establish/Maintain Documentation	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Establish/Maintain Documentation	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Establish/Maintain Documentation	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Establish/Maintain Documentation	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Communicate	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Process or Activity	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Establish/Maintain Documentation	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Establish/Maintain Documentation	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Establish/Maintain Documentation	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Establish/Maintain Documentation	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Establish/Maintain Documentation	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Communicate	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [A chief information protection officer shall be responsible for the following matters: Analysis/evaluation and improvement of the weakness of information protection; Article 45-3(3)(2) A chief information protection officer shall be responsible for the following matters: Preparation of preliminary measures for information protection and designing/realization, etc. of security measures; Article 45-3(3)(4) A chief information protection officer shall be responsible for the following matters: Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes. Article 45-3(3)(7) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Establish/Maintain Documentation	Preventive
Include physical safeguards in the information security program. CC ID 12375	Establish/Maintain Documentation	Preventive
Include technical safeguards in the information security program. CC ID 12374 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Establish/Maintain Documentation	Preventive
Include administrative safeguards in the information security program. CC ID 12373 [A chief information protection officer shall be responsible for the following matters: Establishment and administration/operation of an administrative system for information protection; Article 45-3(3)(1) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Establish/Maintain Documentation	Preventive
Include system development in the information security program. CC ID 12389	Establish/Maintain Documentation	Preventive
Include system maintenance in the information security program. CC ID 12388	Establish/Maintain Documentation	Preventive
Include system acquisition in the information security program. CC ID 12387	Establish/Maintain Documentation	Preventive
Include access control in the information security program. CC ID 12386	Establish/Maintain Documentation	Preventive
Review and approve access controls, as necessary. CC ID 13074	Process or Activity	Detective
Include operations management in the information security program. CC ID 12385	Establish/Maintain Documentation	Preventive
Include communication management in the information security program. CC ID 12384	Establish/Maintain Documentation	Preventive
Include environmental security in the information security program. CC ID 12383	Establish/Maintain Documentation	Preventive
Include physical security in the information security program. CC ID 12382	Establish/Maintain Documentation	Preventive
Include human resources security in the information security program. CC ID 12381	Establish/Maintain Documentation	Preventive
Include asset management in the information security program. CC ID 12380	Establish/Maintain Documentation	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Establish/Maintain Documentation	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Establish/Maintain Documentation	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Establish/Maintain Documentation	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Establish/Maintain Documentation	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Establish/Maintain Documentation	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Establish/Maintain Documentation	Preventive
Include risk management in the information security program. CC ID 12378	Establish/Maintain Documentation	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Establish/Maintain Documentation	Preventive
Provide management direction and support for the information security program. CC ID 11999	Process or Activity	Preventive
Monitor and review the effectiveness of the information security program. CC ID 12744 [A chief information protection officer shall be responsible for the following matters: Review of a preliminary security for information protection; Article 45-3(3)(5)]	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740	Establish/Maintain Documentation	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Business Processes	Preventive
Include business processes in the information security policy. CC ID 16326	Establish/Maintain Documentation	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Establish/Maintain Documentation	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Establish/Maintain Documentation	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Establish/Maintain Documentation	Preventive
Include information security objectives in the information security policy. CC ID 13493	Establish/Maintain Documentation	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Establish/Maintain Documentation	Preventive
Include notification procedures in the information security policy. CC ID 16842	Establish/Maintain Documentation	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Process or Activity	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Business Processes	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Establish/Maintain Documentation	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Communicate	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Establish/Maintain Documentation	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Process or Activity	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Establish Roles	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Human Resources Management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Establish/Maintain Documentation	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Human Resources Management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Communicate	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Establish/Maintain Documentation	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Business Processes	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Business Processes	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Behavior	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Establish/Maintain Documentation	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Establish/Maintain Documentation	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Establish/Maintain Documentation	Preventive
Perform social network analysis, as necessary. CC ID 14864	Investigate	Detective
Establish, implement, and maintain operational control procedures. CC ID 00831 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Establish/Maintain Documentation	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Establish/Maintain Documentation	Preventive
Include startup processes in operational control procedures. CC ID 00833	Establish/Maintain Documentation	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Establish/Maintain Documentation	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Establish/Maintain Documentation	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Process or Activity	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Establish/Maintain Documentation	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Establish/Maintain Documentation	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Establish/Maintain Documentation	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Establish/Maintain Documentation	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Establish/Maintain Documentation	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Establish/Maintain Documentation	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Establish/Maintain Documentation	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Establish/Maintain Documentation	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Establish/Maintain Documentation	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Establish/Maintain Documentation	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Establish/Maintain Documentation	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Establish/Maintain Documentation	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Records Management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Business Processes	Preventive
Provide support for information sharing activities. CC ID 15644	Process or Activity	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Business Processes	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Establish/Maintain Documentation	Corrective
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Communicate	Preventive
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Establish/Maintain Documentation	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Establish/Maintain Documentation	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Establish/Maintain Documentation	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Establish/Maintain Documentation	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Establish/Maintain Documentation	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Establish/Maintain Documentation	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Establish/Maintain Documentation	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Establish/Maintain Documentation	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Establish/Maintain Documentation	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Establish/Maintain Documentation	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Establish/Maintain Documentation	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Establish/Maintain Documentation	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Establish/Maintain Documentation	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Establish/Maintain Documentation	Preventive
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Technical Security	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Establish/Maintain Documentation	Preventive
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Data and Information Management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Establish/Maintain Documentation	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Establish/Maintain Documentation	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Establish/Maintain Documentation	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Establish/Maintain Documentation	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Establish/Maintain Documentation	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Establish/Maintain Documentation	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Establish/Maintain Documentation	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Communicate	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Establish/Maintain Documentation	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Business Processes	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Establish/Maintain Documentation	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Establish/Maintain Documentation	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Establish/Maintain Documentation	Preventive
Identify the sender in all electronic messages. CC ID 13996	Data and Information Management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a Service Management System. CC ID 13889	Business Processes	Preventive
Establish, implement, and maintain a service management program. CC ID 11388 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2)]	Establish/Maintain Documentation	Preventive
Communicate the service management program to interested personnel and affected parties. CC ID 13904	Communicate	Preventive
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927	Communicate	Preventive
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924	Communicate	Preventive
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909	Communicate	Preventive
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908	Communicate	Preventive
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907	Communicate	Preventive
Include a service management plan in the service management program. CC ID 13902	Establish/Maintain Documentation	Preventive
Include the information security policy in the service management program. CC ID 13925	Establish/Maintain Documentation	Preventive
Include the change management policy in the service management program. CC ID 13923	Establish/Maintain Documentation	Preventive
Include the service management objectives in the service management program. CC ID 11389	Establish/Maintain Documentation	Preventive
Include the service requirements in the service management program. CC ID 11390	Establish/Maintain Documentation	Preventive
Include known limitations in the service management program. CC ID 11391	Establish/Maintain Documentation	Preventive
Include service management policies in the service management program. CC ID 11392	Establish/Maintain Documentation	Preventive
Assign roles and responsibilities in the service management program. CC ID 11393	Establish/Maintain Documentation	Preventive
Include all resources needed to achieve the objectives in the service management program. CC ID 11394	Establish/Maintain Documentation	Preventive
Include supply chain management procedures in the service management program. CC ID 11395	Establish/Maintain Documentation	Preventive
Include service management procedures in the service management program. CC ID 11396	Establish/Maintain Documentation	Preventive
Include risk procedures in the service management program. CC ID 11397	Establish/Maintain Documentation	Preventive
Include continuity plans in the Service Management program. CC ID 13919	Establish/Maintain Documentation	Preventive
Include all technologies used to support service management in the service management program. CC ID 11398	Establish/Maintain Documentation	Preventive
Include auditing and improving service management procedures in the service management program. CC ID 11399	Establish/Maintain Documentation	Preventive
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3)]	Communicate	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Business Processes	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Establish/Maintain Documentation	Preventive
Contain the incident to prevent further loss. CC ID 01751 [A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an abnormality found in the information system of a person who uses clustered information and communications facilities (hereinafter referred to as "user of facilities") will probably cause a serious trouble to the information system of other users of facilities or clustered information and communications facilities; Article 46-2(1)(1) A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an intrusion from outside will probably cause a serious trouble to the clustered information and communications facilities; Article 46-2(1)(2) {relevant authority}A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If there occurs a serious intrusion and the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency requests to suspend the services. Article 46-2(1)(3)]	Process or Activity	Corrective
Wipe data and memory after an incident has been detected. CC ID 16850	Technical Security	Corrective
Refrain from accessing compromised systems. CC ID 01752	Technical Security	Corrective
Isolate compromised systems from the network. CC ID 01753	Technical Security	Corrective
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Log Management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Technical Security	Corrective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Investigate	Detective
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Establish/Maintain Documentation	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Establish/Maintain Documentation	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Establish/Maintain Documentation	Detective
Share incident information with interested personnel and affected parties. CC ID 01212 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Data and Information Management	Corrective
Share data loss event information with the media. CC ID 01759	Behavior	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Data and Information Management	Preventive
Share data loss event information with interconnected system owners. CC ID 01209	Establish/Maintain Documentation	Corrective
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Communicate	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Communicate	Preventive
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Establish/Maintain Documentation	Preventive
Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5) {relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4) {relevant authority} A person falling under any of the following subparagraphs shall, where he or she discovers an intrusion, immediately report it to the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency. In such cases, a notice given in accordance with Article 13 (1) of the Act on the Protection of Information and Communications Infrastructure shall be deemed a report under the foregoing sentence: Article 48-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)]	Data and Information Management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Log Management	Detective
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Communicate	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Communicate	Preventive
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Behavior	Corrective
Include data loss event notifications in the Incident Response program. CC ID 00364	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)]	Behavior	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Behavior	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Behavior	Corrective
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Establish/Maintain Documentation	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Communicate	Preventive
Revoke the written request to delay the notification. CC ID 16843	Process or Activity	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Establish/Maintain Documentation	Preventive
Avoid false positive incident response notifications. CC ID 04732	Behavior	Detective
Establish, implement, and maintain incident response notifications. CC ID 12975	Establish/Maintain Documentation	Corrective
Refrain from charging for providing incident response notifications. CC ID 13876	Business Processes	Preventive
Include information required by law in incident response notifications. CC ID 00802	Establish/Maintain Documentation	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Establish/Maintain Documentation	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Establish/Maintain Documentation	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Establish/Maintain Documentation	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Establish/Maintain Documentation	Preventive
Use plain language to write incident response notifications. CC ID 12976	Establish/Maintain Documentation	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Establish/Maintain Documentation	Preventive
Refrain from including restricted information in the incident response notification. CC ID 16806	Actionable Reports or Measurements	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Establish/Maintain Documentation	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Establish/Maintain Documentation	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Establish/Maintain Documentation	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Establish/Maintain Documentation	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Establish/Maintain Documentation	Preventive
Include time information in incident response notifications. CC ID 04745	Establish/Maintain Documentation	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Establish/Maintain Documentation	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Establish/Maintain Documentation	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1)]	Establish/Maintain Documentation	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Establish/Maintain Documentation	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Establish/Maintain Documentation	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Establish/Maintain Documentation	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Establish/Maintain Documentation	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Establish/Maintain Documentation	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Establish/Maintain Documentation	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Establish/Maintain Documentation	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Establish/Maintain Documentation	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Establish/Maintain Documentation	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Establish/Maintain Documentation	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Establish/Maintain Documentation	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Establish/Maintain Documentation	Detective
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Communicate	Corrective
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Business Processes	Corrective
Include contact information in incident response notifications. CC ID 04739 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5)]	Establish/Maintain Documentation	Preventive
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Communicate	Preventive
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Behavior	Corrective
Post the incident response notification on the organization's website. CC ID 16809	Process or Activity	Preventive
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Behavior	Corrective
Document the determination for providing a substitute incident response notification. CC ID 16841	Process or Activity	Preventive
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Behavior	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Behavior	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Behavior	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Establish/Maintain Documentation	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Establish/Maintain Documentation	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Behavior	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Behavior	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Behavior	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Behavior	Corrective
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Communicate	Corrective
Include incident reporting procedures in the Incident Management program. CC ID 11772	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)]	Communicate	Preventive
Provide customer security advice, as necessary. CC ID 13674 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)]	Communicate	Preventive
Use simple understandable language when providing customer security advice. CC ID 13685	Communicate	Preventive
Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686	Communicate	Preventive
Display customer security advice prominently. CC ID 13667	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Establish/Maintain Documentation	Preventive
Create an incident response report following an incident response. CC ID 12700	Establish/Maintain Documentation	Preventive
Include information on all affected assets in the incident response report. CC ID 12718 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2)]	Establish/Maintain Documentation	Preventive
Include the duration of the incident in the incident response report. CC ID 12716 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Establish/Maintain Documentation	Preventive
Include the reasons the incident occurred in the incident response report. CC ID 12711 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Establish/Maintain Documentation	Preventive
Include when the incident occurred in the incident response report. CC ID 12709 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)]	Establish/Maintain Documentation	Preventive
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4)]	Establish/Maintain Documentation	Preventive
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{relevant authority}{loss}{theft}{leakage}{personal information} A provider of information and communications services, etc. shall explain just cause under the main sentence of and proviso to paragraph (1) to the Korea Communications Commission. Article 27-3(3)]	Establish/Maintain Documentation	Preventive
Analyze and respond to security alerts. CC ID 12504 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)]	Business Processes	Detective
Mitigate reported incidents. CC ID 12973 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)]	Actionable Reports or Measurements	Preventive
Establish, implement, and maintain an incident response plan. CC ID 12056 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)]	Establish/Maintain Documentation	Preventive
Include addressing external communications in the incident response plan. CC ID 13351	Establish/Maintain Documentation	Preventive
Include addressing internal communications in the incident response plan. CC ID 13350	Establish/Maintain Documentation	Preventive
Include change control procedures in the incident response plan. CC ID 15479	Establish/Maintain Documentation	Preventive
Include addressing information sharing in the incident response plan. CC ID 13349	Establish/Maintain Documentation	Preventive
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Establish/Maintain Documentation	Preventive
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Establish/Maintain Documentation	Preventive
Include the management support needed for incident response in the incident response plan. CC ID 14300	Establish/Maintain Documentation	Preventive
Include root cause analysis in the incident response plan. CC ID 16423	Establish/Maintain Documentation	Preventive
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Establish/Maintain Documentation	Preventive
Include the resources needed for incident response in the incident response plan. CC ID 14292	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a change control program. CC ID 00886	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a software release policy. CC ID 00893	Establish/Maintain Documentation	Preventive
Disseminate and communicate software update information to users and regulators. CC ID 06602 [{relevant authority} A software business operator under Article 2 of the Software Industry Promotion Act shall, when he or she produced a program that improves weaknesses in security, notify the Korea Internet and Security Agency of its production, and shall notify users of the software of the production at least twice within one month from the date of production. Article 47-4(3)]	Behavior	Preventive
Manage the creation of products and services, as necessary. CC ID 13497	Business Processes	Preventive
Delete age-restricted content, as necessary. CC ID 15450 [A provider of information and communications services shall, if there is any unwholesome medium for juvenile published in violation of the labeling method under Article 42 in the information and communications network operated and managed by him or her or if a content advertising any unwholesome medium for juvenile is displayed in such network without any measures to restrict access by juvenile under Article 42-2, delete such content without delay. Article 44-2(3)]	Process or Activity	Preventive
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3)]	Establish/Maintain Documentation	Preventive
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with an obscene content distributed, sold, rented, or displayed openly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within an unwholesome medium for juvenile under the Juvenile Protection Act and that is provided for profit without fulfilling the duties and obligations under relevant statutes, including the duty to verify the opposite party's age and the duty of labeling; Article 44-7(1)(5) {refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1]	Process or Activity	Preventive

Physical and environmental protection

150

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Physical and environmental protection CC ID 00709	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a physical security program. CC ID 11757	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Establish/Maintain Documentation	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Establish/Maintain Documentation	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Behavior	Preventive
Protect the facility from crime. CC ID 06347	Physical and Environmental Protection	Preventive
Define communication methods for reporting crimes. CC ID 06349	Establish/Maintain Documentation	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Establish/Maintain Documentation	Preventive
Protect facilities from eavesdropping. CC ID 02222	Physical and Environmental Protection	Preventive
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and Environmental Protection	Detective
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Technical Security	Preventive
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Establish/Maintain Documentation	Preventive
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and Environmental Protection	Preventive
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and Environmental Protection	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and Environmental Protection	Preventive
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and Environmental Protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Establish/Maintain Documentation	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Establish/Maintain Documentation	Preventive
Post floor plans of critical facilities in secure locations. CC ID 16138	Communicate	Preventive
Post and maintain security signage for all facilities. CC ID 02201	Establish/Maintain Documentation	Preventive
Inspect items brought into the facility. CC ID 06341	Physical and Environmental Protection	Preventive
Maintain all physical security systems. CC ID 02206	Physical and Environmental Protection	Preventive
Detect anomalies in physical barriers. CC ID 13533	Investigate	Detective
Maintain all security alarm systems. CC ID 11669	Physical and Environmental Protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637	Establish/Maintain Documentation	Preventive
Control physical access to (and within) the facility. CC ID 01329	Physical and Environmental Protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Establish/Maintain Documentation	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and Environmental Protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and Environmental Protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Establish/Maintain Documentation	Preventive
Escort visitors within the facility, as necessary. CC ID 06417	Establish/Maintain Documentation	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and Environmental Protection	Preventive
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Testing	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Behavior	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Establish/Maintain Documentation	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Establish/Maintain Documentation	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and Environmental Protection	Corrective
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Establish/Maintain Documentation	Preventive
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Establish/Maintain Documentation	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Human Resources Management	Preventive
Implement physical identification processes. CC ID 13715	Process or Activity	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Process or Activity	Preventive
Issue photo identification badges to all employees. CC ID 12326	Physical and Environmental Protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Testing	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Establish/Maintain Documentation	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Establish/Maintain Documentation	Corrective
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and Environmental Protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Behavior	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Human Resources Management	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and Environmental Protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Behavior	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and Environmental Protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Behavior	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Establish/Maintain Documentation	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Process or Activity	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Establish/Maintain Documentation	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Business Processes	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Establish/Maintain Documentation	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Process or Activity	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Establish/Maintain Documentation	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Establish/Maintain Documentation	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and Environmental Protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and Environmental Protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and Environmental Protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and Environmental Protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Establish/Maintain Documentation	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Human Resources Management	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Establish/Maintain Documentation	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Establish/Maintain Documentation	Preventive
Install doors so that exposed hinges are on the secured side. CC ID 06687	Configuration	Preventive
Install emergency doors to permit egress only. CC ID 06688	Configuration	Preventive
Install contact alarms on doors, as necessary. CC ID 06710	Configuration	Preventive
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and Environmental Protection	Preventive
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Configuration	Preventive
Test locks for physical security vulnerabilities. CC ID 04880	Testing	Detective
Secure unissued access mechanisms. CC ID 06713	Technical Security	Preventive
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748	Establish/Maintain Documentation	Preventive
Change cipher lock codes, as necessary. CC ID 06651	Technical Security	Preventive
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Establish/Maintain Documentation	Preventive
Install contact alarms on openable windows, as necessary. CC ID 06690	Configuration	Preventive
Install glass break alarms on windows, as necessary. CC ID 06691	Configuration	Preventive
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Establish/Maintain Documentation	Preventive
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and Environmental Protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and Environmental Protection	Preventive
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and Environmental Protection	Preventive
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and Environmental Protection	Preventive
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and Environmental Protection	Preventive
Screen incoming mail and deliveries. CC ID 06719	Physical and Environmental Protection	Preventive
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and Environmental Protection	Preventive
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and Environmental Protection	Preventive
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and Environmental Protection	Preventive
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and Environmental Protection	Preventive
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Establish/Maintain Documentation	Preventive
Establish a security room, if necessary. CC ID 00738	Physical and Environmental Protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and Environmental Protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and Environmental Protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and Environmental Protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and Environmental Protection	Detective
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and Environmental Protection	Preventive
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Establish/Maintain Documentation	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Establish/Maintain Documentation	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Communicate	Preventive
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Monitor and Evaluate Occurrences	Detective
Establish and maintain a visitor log. CC ID 00715	Log Management	Preventive
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Investigate	Detective
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Establish/Maintain Documentation	Preventive
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Behavior	Preventive
Record the visitor's name in the visitor log. CC ID 00557	Log Management	Preventive
Record the visitor's organization in the visitor log. CC ID 12121	Log Management	Preventive
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Log Management	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Establish/Maintain Documentation	Preventive
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Establish/Maintain Documentation	Preventive
Retain all records in the visitor log as prescribed by law. CC ID 00572	Log Management	Preventive
Establish, implement, and maintain a physical access log. CC ID 12080	Establish/Maintain Documentation	Preventive
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Log Management	Preventive
Log when the vault is accessed. CC ID 06725	Log Management	Detective
Log when the cabinet is accessed. CC ID 11674	Log Management	Detective
Store facility access logs in off-site storage. CC ID 06958	Log Management	Preventive
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Monitor and Evaluate Occurrences	Preventive
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Monitor and Evaluate Occurrences	Detective
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Monitor and Evaluate Occurrences	Detective
Configure video cameras to cover all physical entry points. CC ID 06302	Configuration	Preventive
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Configuration	Preventive
Retain video events according to Records Management procedures. CC ID 06304	Records Management	Preventive
Monitor physical entry point alarms. CC ID 01639	Physical and Environmental Protection	Detective
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Monitor and Evaluate Occurrences	Detective
Monitor for alarmed security doors being propped open. CC ID 06684	Monitor and Evaluate Occurrences	Detective
Establish, implement, and maintain physical security threat reports. CC ID 02207	Establish/Maintain Documentation	Preventive
Build and maintain fencing, as necessary. CC ID 02235	Physical and Environmental Protection	Preventive
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and Environmental Protection	Preventive
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and Environmental Protection	Preventive
Employ security guards to provide physical security, as necessary. CC ID 06653	Establish Roles	Preventive
Establish, implement, and maintain a facility wall standard. CC ID 06692	Establish/Maintain Documentation	Preventive
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and Environmental Protection	Preventive
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Configuration	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Behavior	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Behavior	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Business Processes	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Behavior	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Behavior	Preventive

Privacy protection for information and data

1019

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Privacy protection for information and data CC ID 00008	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized manipulation}The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Systematic and technical measures for preventing unlawful destruction or manipulation of information; Article 51(3)(2)]	Establish/Maintain Documentation	Preventive
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Data and Information Management	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Establish/Maintain Documentation	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy notice. CC ID 16543	Establish/Maintain Documentation	Preventive
Include contact information in the privacy notice. CC ID 14432 [{be responsible}The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name and address of the person responsible for protection of personal information or the department responsible for business affairs related to the protection of personal information and processing related complaints and other contact information of such person or department. Article 27-2(2)(7)]	Establish/Maintain Documentation	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Establish/Maintain Documentation	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Establish/Maintain Documentation	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Establish/Maintain Documentation	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Establish/Maintain Documentation	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Establish/Maintain Documentation	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457	Establish/Maintain Documentation	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Establish/Maintain Documentation	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Establish/Maintain Documentation	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Establish/Maintain Documentation	Preventive
Specify the time frame that notice will be given. CC ID 00385	Establish/Maintain Documentation	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312 [{information}{violate}{right} Every provider of information and communications services shall clearly state the details, procedure, and other matters concerning necessary measures in its standardized agreement in advance. Article 44-2(5)]	Establish/Maintain Documentation	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Establish/Maintain Documentation	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Communicate	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Communicate	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Establish/Maintain Documentation	Preventive
Update privacy notices, as necessary. CC ID 13474	Communicate	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Communicate	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Communicate	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Communicate	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Establish/Maintain Documentation	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Establish/Maintain Documentation	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Establish/Maintain Documentation	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Establish/Maintain Documentation	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Establish/Maintain Documentation	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Establish/Maintain Documentation	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Establish/Maintain Documentation	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Establish/Maintain Documentation	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Establish/Maintain Documentation	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Establish/Maintain Documentation	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Communicate	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Communicate	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Communicate	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Communicate	Preventive
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Communicate	Preventive
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Data and Information Management	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Communicate	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Communicate	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Establish/Maintain Documentation	Preventive
Deliver notices to the intended parties. CC ID 06240	Data and Information Management	Preventive
Notify data subjects about their privacy rights. CC ID 12989 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5)]	Communicate	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Communicate	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Process or Activity	Detective
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Data and Information Management	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Communicate	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Establish/Maintain Documentation	Preventive
Establish and maintain a records request manual. CC ID 00381	Establish/Maintain Documentation	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Establish/Maintain Documentation	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{relevant authority} A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Article 53(1)]	Behavior	Preventive
Define what is included in registration notices. CC ID 00386	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Establish Roles	Preventive
Include the verification method in the registration notice. CC ID 16798	Establish/Maintain Documentation	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Establish/Maintain Documentation	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Establish/Maintain Documentation	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Establish/Maintain Documentation	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Establish/Maintain Documentation	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Establish/Maintain Documentation	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Establish/Maintain Documentation	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Establish/Maintain Documentation	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Data and Information Management	Preventive
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Process or Activity	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Establish/Maintain Documentation	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Establish/Maintain Documentation	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Process or Activity	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Data and Information Management	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Data and Information Management	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Technical Security	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Records Management	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Records Management	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Records Management	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Records Management	Corrective
Define the criteria for waivers of data subjects' rights. CC ID 16858	Behavior	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Behavior	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Establish/Maintain Documentation	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Establish/Maintain Documentation	Preventive
Disclose educational data, as necessary. CC ID 00223	Data and Information Management	Preventive
Grant access to education records in support of educational program audits. CC ID 13032	Records Management	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Records Management	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Communicate	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Data and Information Management	Preventive
Disclose education records when written consent is received. CC ID 00224	Data and Information Management	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Establish/Maintain Documentation	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Establish/Maintain Documentation	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Establish/Maintain Documentation	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Establish/Maintain Documentation	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Communicate	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Communicate	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Communicate	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Data and Information Management	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Data and Information Management	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Data and Information Management	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Communicate	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Data and Information Management	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Data and Information Management	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Data and Information Management	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Data and Information Management	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Data and Information Management	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Data and Information Management	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Establish/Maintain Documentation	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services may, if it is difficult to judge whether information violates any right or it is anticipated that there will probably be a dispute between interested parties, take a measure to block access to the information temporarily (hereinafter referred to as "temporary measures"), irrespective of a request for deletion of the information under paragraph (1). In such cases, the period of time for the temporary measure shall not exceed 30 days. Article 44-2(4)]	Communicate	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Communicate	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Communicate	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Communicate	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Communicate	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Communicate	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)]	Establish/Maintain Documentation	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4)]	Process or Activity	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Process or Activity	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Process or Activity	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Process or Activity	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Process or Activity	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Data and Information Management	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Business Processes	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Business Processes	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Process or Activity	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Process or Activity	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or similar falling under the standards determined by Presidential Decree shall periodically notify the users of the details of using personal information of such users (including details of the provision under Article 24-2 and of the entrustment of management of personal information under Article 25) in accordance with Article 22 and the proviso to Article 23 (1): Provided, That this shall not apply in cases where the provider of information and communications services or similar does not collect any contact information or other personal information that can be notified to users. Article 30-2(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)]	Establish/Maintain Documentation	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: Items of the personal information transferred; Article 63(3)(1)]	Data and Information Management	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Establish/Maintain Documentation	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Establish/Maintain Documentation	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Establish/Maintain Documentation	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Establish/Maintain Documentation	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1)]	Establish/Maintain Documentation	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Establish/Maintain Documentation	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Establish/Maintain Documentation	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Establish/Maintain Documentation	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The name (referring to the name of a legal corporation, if the person is a legal corporation; hereafter the same shall apply in this Article), address, and telephone number of a person to whom the personal information is to be transferred (hereinafter referred to as a "transferee of business or similar"), and other contact information of the person; Article 26(1)(2) If any personal information is transferred to a transferee of business, etc., he or she shall immediately notify the users of such fact and his or her name, domicile, telephone number and other contact details according to methods prescribed by Presidential Decree, such as the posting of such information on the Internet homepage or email. Article 26(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The name of the person to whom the personal information is to be transferred (referring to the name of a legal entity and the contact information of the person responsible for management of information, if the person is a legal entity); Article 63(3)(3)]	Establish/Maintain Documentation	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Establish/Maintain Documentation	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Establish/Maintain Documentation	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Establish/Maintain Documentation	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Establish/Maintain Documentation	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Establish/Maintain Documentation	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Establish/Maintain Documentation	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Establish/Maintain Documentation	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Data and Information Management	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Communicate	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Establish/Maintain Documentation	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Process or Activity	Preventive
Make telephone directory information available to the public. CC ID 08698	Establish/Maintain Documentation	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Technical Security	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Establish/Maintain Documentation	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Process or Activity	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)]	Establish/Maintain Documentation	Preventive
Include the data subject's rights in the privacy policy. CC ID 16355	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Establish/Maintain Documentation	Preventive
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{make aware} Every provider of information and communications services or similar shall, when he or she revises the policy on managing personal information under paragraph (1), give public notice of the reasons for and details of such revision without delay in a manner specified by Presidential Decree, and take measures to make users aware of the details of the revision easily at any time. Article 27-2(3)]	Behavior	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Establish/Maintain Documentation	Detective
Write privacy notices in the official languages required by law. CC ID 16529	Establish/Maintain Documentation	Preventive
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Establish/Maintain Documentation	Preventive
Define what is included in the privacy policy. CC ID 00404	Establish/Maintain Documentation	Preventive
Define the information being collected in the privacy policy. CC ID 13115 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Establish/Maintain Documentation	Preventive
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Establish/Maintain Documentation	Preventive
Include the means by which information is collected in the privacy policy. CC ID 13114 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Establish/Maintain Documentation	Preventive
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Establish/Maintain Documentation	Corrective
Include roles and responsibilities in the privacy policy. CC ID 14669	Establish/Maintain Documentation	Preventive
Include management commitment in the privacy policy. CC ID 14668	Establish/Maintain Documentation	Preventive
Include coordination amongst entities in the privacy policy. CC ID 14667	Establish/Maintain Documentation	Preventive
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Establish/Maintain Documentation	Preventive
Include compliance requirements in the privacy policy. CC ID 14666	Establish/Maintain Documentation	Preventive
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Establish/Maintain Documentation	Preventive
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Establish/Maintain Documentation	Corrective
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Establish/Maintain Documentation	Preventive
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Establish/Maintain Documentation	Preventive
Include a complaint form in the privacy policy. CC ID 12364	Establish/Maintain Documentation	Preventive
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Establish/Maintain Documentation	Preventive
Include the processing purpose in the privacy policy. CC ID 00406 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)]	Establish/Maintain Documentation	Preventive
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Establish/Maintain Documentation	Preventive
Include the data subject categories being processed in the privacy policy. CC ID 00407 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Establish/Maintain Documentation	Preventive
Define the retention period for collected information in the privacy policy. CC ID 13116 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Establish/Maintain Documentation	Preventive
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Establish/Maintain Documentation	Preventive
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)]	Establish/Maintain Documentation	Preventive
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Establish/Maintain Documentation	Preventive
Include instructions on how to opt-out in the privacy policy. CC ID 00411	Establish/Maintain Documentation	Preventive
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363	Establish/Maintain Documentation	Preventive
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Establish/Maintain Documentation	Preventive
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6)]	Establish/Maintain Documentation	Preventive
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Establish/Maintain Documentation	Preventive
Post the privacy policy in an easily seen location. CC ID 00401	Establish/Maintain Documentation	Preventive
Define who will receive the privacy policy. CC ID 00402	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)]	Communicate	Preventive
Establish, implement, and maintain privacy procedures. CC ID 14665	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Communicate	Preventive
Establish, implement, and maintain a privacy plan. CC ID 14672	Establish/Maintain Documentation	Preventive
Align the enterprise architecture with the privacy plan. CC ID 14705	Process or Activity	Preventive
Approve the privacy plan. CC ID 14700	Business Processes	Preventive
Include privacy requirements in the privacy plan. CC ID 14699	Establish/Maintain Documentation	Preventive
Include the information types in the privacy plan. CC ID 14695	Establish/Maintain Documentation	Preventive
Include threats in the privacy plan. CC ID 14694	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the privacy plan. CC ID 14702	Establish/Maintain Documentation	Preventive
Include a description of the operational context in the privacy plan. CC ID 14692	Establish/Maintain Documentation	Preventive
Include risk assessment results in the privacy plan. CC ID 14701	Establish/Maintain Documentation	Preventive
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Establish/Maintain Documentation	Preventive
Include security controls in the privacy plan. CC ID 14681	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Communicate	Preventive
Include a description of the operational environment in the privacy plan. CC ID 14679	Establish/Maintain Documentation	Preventive
Include network diagrams in the privacy plan. CC ID 14678	Establish/Maintain Documentation	Preventive
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a privacy report. CC ID 14754	Establish/Maintain Documentation	Preventive
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Communicate	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334	Business Processes	Preventive
Disseminate private communications when required by law. CC ID 14335	Communicate	Corrective
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A person who obtains consent to receive advertising information pursuant to paragraph (1) or (3) shall regularly verify whether an addressee of advertising information consents to receive such information, as prescribed by Presidential Decree. Article 50(8)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546	Establish/Maintain Documentation	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{refrain from refusing}{do not consent}{not necessary} No provider of information and communications services shall refuse to provide the relevant services to users on the ground that the users give no consent to the establishment of access authority not certainly necessary to provide the relevant services. Article 22-2(2) {refrain from refusing} No provider of information and communications services shall refuse to provide such services on the ground that a user does not provide personal information other than the minimum personal information required. In such cases, the minimum personal information required means information that is specifically required to perform essential functions of the relevant services. Article 23(3) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)]	Human Resources Management	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877 [A person who transmits advertising information for profit by using an electronic transmission medium shall take necessary measures so that an addressee does not incur any cost, such as telephone charges, when the addressee refuses to receive or revokes his or her consent to receive such information, as prescribed by Presidential Decree. Article 50(6)]	Business Processes	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3)]	Establish/Maintain Documentation	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)]	Establish/Maintain Documentation	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Establish/Maintain Documentation	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Establish/Maintain Documentation	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Establish/Maintain Documentation	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Establish/Maintain Documentation	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Establish/Maintain Documentation	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Establish/Maintain Documentation	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Establish/Maintain Documentation	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Business Processes	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Business Processes	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The methods and procedures available for revocation of consent, where a user does not want his or her personal information transferred to a third party. Article 26(1)(3) Every user may, at any time, revoke his or her consent given to a provider of information and communications services or similar to allow the provider to collect, use, or furnish his or her personal information. Article 30(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3) {not necessary}{do not consent}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Fact that users may give no consent to the permission on access authority. Article 22-2(1)(2)(c)]	Data and Information Management	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Business Processes	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Business Processes	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Data and Information Management	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451	Business Processes	Preventive
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Process or Activity	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Establish/Maintain Documentation	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530	Business Processes	Preventive
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Communicate	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Records Management	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Data and Information Management	Preventive
Refrain from obtaining consent through deception. CC ID 13556	Data and Information Management	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)]	Data and Information Management	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [Where an addressee gives prior consent under paragraph (1) or expresses his or her intention to refuse to receive or revoke his or her consent to receive advertising information under paragraph (2), a person who intends to transmit advertising information for profit by using an electronic transmission medium shall inform the relevant addressee of the outcomes of measures taken in relation to consent to receive, refusal to receive, or revocation of consent to receive advertising information, as prescribed by Presidential Decree. Article 50(7)]	Data and Information Management	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Establish/Maintain Documentation	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Human Resources Management	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Establish Roles	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Human Resources Management	Preventive
Notify the supervisory authority. CC ID 00472 [{relevant authority}{collection}{personal data} A provider of information and communications services shall, whenever it discovers a violation of paragraph (1), immediately report it to the Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Security Agency. Article 49-2(2)]	Behavior	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Establish/Maintain Documentation	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Business Processes	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Communicate	Preventive
Include required information in the approval application. CC ID 16628	Establish/Maintain Documentation	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Business Processes	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Process or Activity	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Process or Activity	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Communicate	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Communicate	Corrective
Cooperate with Data Protection Authorities. CC ID 06870	Data and Information Management	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Establish/Maintain Documentation	Preventive
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Human Resources Management	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Establish/Maintain Documentation	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Establish/Maintain Documentation	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Establish/Maintain Documentation	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Establish/Maintain Documentation	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Establish/Maintain Documentation	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Establish/Maintain Documentation	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Establish/Maintain Documentation	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Establish/Maintain Documentation	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Establish/Maintain Documentation	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Establish/Maintain Documentation	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Establish/Maintain Documentation	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Establish/Maintain Documentation	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Establish/Maintain Documentation	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Establish/Maintain Documentation	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Establish/Maintain Documentation	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Establish/Maintain Documentation	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Establish/Maintain Documentation	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Establish/Maintain Documentation	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Establish/Maintain Documentation	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Establish/Maintain Documentation	Preventive
Notify the data controller of any changes in data processors. CC ID 12648	Communicate	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A provider, etc. of information and communications shall, when entrusting a trustee with management of personal information, do so in writing. Article 25(6)]	Establish/Maintain Documentation	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Establish/Maintain Documentation	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Establish/Maintain Documentation	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Establish/Maintain Documentation	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Establish/Maintain Documentation	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)]	Establish/Maintain Documentation	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Establish/Maintain Documentation	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935	Establish/Maintain Documentation	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Establish/Maintain Documentation	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Establish/Maintain Documentation	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Establish/Maintain Documentation	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Establish/Maintain Documentation	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Human Resources Management	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Establish/Maintain Documentation	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Establish/Maintain Documentation	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Data and Information Management	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Data and Information Management	Preventive
Notify the data subject of the collection purpose. CC ID 00095 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Behavior	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Data and Information Management	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Establish/Maintain Documentation	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Behavior	Preventive
Notify the data subject of changes to personal data use. CC ID 00105 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)]	Behavior	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Establish/Maintain Documentation	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Establish/Maintain Documentation	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Establish/Maintain Documentation	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Establish/Maintain Documentation	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3)]	Behavior	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Establish/Maintain Documentation	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1)]	Data and Information Management	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Records Management	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 [{stipulated timeframe} The provider, etc. of information and communications services shall notify , until 30 days before expiration of the period under paragraph (2), the users of the matters prescribed by Presidential Decree such as the fact that the personal information will be destroyed, the expiration date of the period and items of personal information subject to destruction, in a manner prescribed by Presidential Decree such as by email. Article 29(3)]	Communicate	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)]	Establish/Maintain Documentation	Preventive
Allow data subjects to submit data requests. CC ID 16545	Process or Activity	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Data and Information Management	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)]	Data and Information Management	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Data and Information Management	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Data and Information Management	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Data and Information Management	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Establish/Maintain Documentation	Preventive
Define what is to be included in a data access request. CC ID 08699	Establish/Maintain Documentation	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Business Processes	Preventive
Respond to data access requests in a timely manner. CC ID 00421 [{personal information} A provider of information and communications services or similar shall, in receipt of a request to peruse or furnish matters in accordance with paragraph (2), take necessary measures without delay. Article 30(4)]	Behavior	Preventive
Delay responding to data access requests, as necessary. CC ID 15504	Data and Information Management	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Data and Information Management	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Behavior	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Behavior	Detective
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Business Processes	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Process or Activity	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Establish/Maintain Documentation	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Data and Information Management	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Data and Information Management	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)]	Establish/Maintain Documentation	Preventive
Submit personal data removal requests in writing. CC ID 11973	Records Management	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Establish/Maintain Documentation	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Records Management	Corrective
Notify third parties of data access requests that relates to the third party. CC ID 08703	Establish/Maintain Documentation	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Process or Activity	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [{refrain from using}{be different} No provider of information and communications services may use personal information collected in accordance with Article 22 and the proviso to Article 23 (1) for any purpose other than the purpose consented by the relevant user or the purpose specified in any subparagraph of Article 22 (2). Article 24 ¶ 1]	Establish/Maintain Documentation	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Data and Information Management	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Communicate	Preventive
Notify the data subject after personal data is used or disclosed. CC ID 06247	Behavior	Preventive
Refrain from processing restricted data, as necessary. CC ID 12551 [{refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Records Management	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Process or Activity	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Process or Activity	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Business Processes	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Process or Activity	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Process or Activity	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Process or Activity	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Data and Information Management	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Data and Information Management	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Business Processes	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Business Processes	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Business Processes	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Business Processes	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Business Processes	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Business Processes	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Business Processes	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Business Processes	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Business Processes	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Process or Activity	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Establish/Maintain Documentation	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Establish/Maintain Documentation	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Records Management	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Records Management	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Records Management	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Records Management	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Records Management	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Records Management	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Records Management	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Records Management	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Records Management	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Records Management	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Records Management	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Records Management	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Records Management	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Records Management	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Records Management	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)]	Establish Roles	Preventive
Analyze requirements for processing personal data in contracts. CC ID 12550	Investigate	Detective
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Technical Security	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Data and Information Management	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Communicate	Corrective
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Records Management	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Data and Information Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Records Management	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Process or Activity	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Records Management	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Data and Information Management	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Establish/Maintain Documentation	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Establish/Maintain Documentation	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Data and Information Management	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Data and Information Management	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Establish/Maintain Documentation	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Establish/Maintain Documentation	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Data and Information Management	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Data and Information Management	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Data and Information Management	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Data and Information Management	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Data and Information Management	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Data and Information Management	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Data and Information Management	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Data and Information Management	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185	Data and Information Management	Preventive
Process traffic data in a controlled manner. CC ID 00130	Data and Information Management	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Data and Information Management	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Data and Information Management	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a telemarketer under the Act on Door-to-Door Sales, Etc. informs prospective customers of the collection source of their personal information by voice, and solicits them to buy products or services by means of telephone call. Article 50(1)(2)]	Data and Information Management	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1]	Business Processes	Preventive
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to avoid or interfere with an addressee's refusal to receive or revocation of his or her consent to receive advertising information; Article 50(5)(1) {refrain from transmitting} Notwithstanding paragraph (1), where an addressee expresses his or her intention to refuse to receive information or revokes his or her prior consent, no person who intends to transmit advertising information for profit by using an electronic transmission medium shall transmit advertising information for profit. Article 50(2) A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If a user does not want to receive advertising information; Article 50-4(1)(2)]	Communicate	Corrective
Process personal data for the purposes of employment. CC ID 16527	Data and Information Management	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Data and Information Management	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Data and Information Management	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Data and Information Management	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Data and Information Management	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Data and Information Management	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Data and Information Management	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Data and Information Management	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Data and Information Management	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Data and Information Management	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Data and Information Management	Preventive
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)]	Data and Information Management	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Process or Activity	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Data and Information Management	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Data and Information Management	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Data and Information Management	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Data and Information Management	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)]	Data and Information Management	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Data and Information Management	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Data and Information Management	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586	Data and Information Management	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Data and Information Management	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Data and Information Management	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Data and Information Management	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Data and Information Management	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Data and Information Management	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Data and Information Management	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Data and Information Management	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Data and Information Management	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Data and Information Management	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Data and Information Management	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Data and Information Management	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Data and Information Management	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Data and Information Management	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Data and Information Management	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Data and Information Management	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Data and Information Management	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Data and Information Management	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Behavior	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Establish/Maintain Documentation	Preventive
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Communicate	Corrective
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{refrain from providing} No one shall be knowingly provided with any disclosed personal information for profit or any unlawful purpose. Article 28-2(2) {violate}{right} Every provider of information and communications services shall make efforts to prevent any information under paragraph (1) from being circulated through the information and communications network operated and managed by it. Article 44(2) {refrain from circulating}{violate} No user may circulate any information violative of other person's rights, including invasion of privacy and defamation, through an information and communications network. Article 44(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that defames other persons by divulging a fact, false fact, openly and purposely to disparage the person's reputation; Article 44-7(1)(2) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information regarding content of transactions of personal information in violation of this Act or other statutes concerning the protection of personal information; Article 44-7(1)(6-2) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Records Management	Preventive
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Communicate	Corrective
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Data and Information Management	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Establish/Maintain Documentation	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Establish/Maintain Documentation	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Data and Information Management	Detective
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Establish/Maintain Documentation	Preventive
Define how a data subject may give consent. CC ID 00160	Establish/Maintain Documentation	Preventive
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Data and Information Management	Preventive
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2)]	Communicate	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Data and Information Management	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Data and Information Management	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Data and Information Management	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Data and Information Management	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Data and Information Management	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Data and Information Management	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Data and Information Management	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Data and Information Management	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297	Data and Information Management	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Data and Information Management	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Data and Information Management	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Data and Information Management	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Data and Information Management	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Data and Information Management	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Data and Information Management	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Data and Information Management	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Data and Information Management	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Data and Information Management	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Data and Information Management	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Data and Information Management	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Data and Information Management	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Data and Information Management	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Data and Information Management	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Data and Information Management	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Data and Information Management	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Data and Information Management	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Data and Information Management	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Data and Information Management	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Data and Information Management	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Data and Information Management	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Data and Information Management	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Data and Information Management	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Data and Information Management	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Data and Information Management	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Data and Information Management	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Data and Information Management	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Establish/Maintain Documentation	Detective
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Data and Information Management	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Data and Information Management	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Data and Information Management	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Data and Information Management	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Data and Information Management	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Data and Information Management	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Communicate	Preventive
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1) The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, "background-color:#B7D8ED;" class="term_primary-verb">take necessary " class="term_primary-noun">measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, take necessary measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. Article 29(2)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3) If a user withdraws his or her consent pursuant to paragraph (1), a provider of information and communications services, etc. shall immediately take necessary measures, such as the destruction of collected personal information in an irrecoverable or in unreproducible way. Article 30(3)]	Establish/Maintain Documentation	Preventive
Capture personal data removal requests. CC ID 13507 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)]	Communicate	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [{violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Records Management	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Process or Activity	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Process or Activity	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Business Processes	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Data and Information Management	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169 [A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)]	Data and Information Management	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Establish/Maintain Documentation	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Data and Information Management	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Data and Information Management	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Data and Information Management	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Data and Information Management	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Data and Information Management	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Data and Information Management	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Data and Information Management	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) {stipulated timeframe} Notwithstanding paragraph (1), a person who intends to transmit advertising information for profit by using an electronic transmission medium during the time between 9:00 pm and 8:00 am of the following day shall obtain express prior consent from the addressee of such information: Provided, That in cases of media prescribed by Presidential Decree, the forgoing shall not apply thereto. Article 50(3)]	Data and Information Management	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)]	Data and Information Management	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Data and Information Management	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Data and Information Management	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Data and Information Management	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Behavior	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Data and Information Management	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Data and Information Management	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Data and Information Management	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Establish/Maintain Documentation	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Data and Information Management	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Data and Information Management	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Data and Information Management	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Data and Information Management	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Establish/Maintain Documentation	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Data and Information Management	Preventive
Review personal data disclosure requests. CC ID 07129	Data and Information Management	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Communicate	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Establish/Maintain Documentation	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Data and Information Management	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Data and Information Management	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Data and Information Management	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Data and Information Management	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Data and Information Management	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Data and Information Management	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Data and Information Management	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Data and Information Management	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Data and Information Management	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Process or Activity	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Data and Information Management	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Data and Information Management	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Data and Information Management	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Data and Information Management	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Data and Information Management	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Data and Information Management	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Data and Information Management	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Data and Information Management	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Data and Information Management	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Data and Information Management	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Data and Information Management	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Data and Information Management	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken rm_primary-noun">measures for imary-noun">refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken measures for refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. Article 50-4(3)]	Data and Information Management	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Communicate	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Data and Information Management	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Process or Activity	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Data and Information Management	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Data and Information Management	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Communicate	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Data and Information Management	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Communicate	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Data and Information Management	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Data and Information Management	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Data and Information Management	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Data and Information Management	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Data and Information Management	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Data and Information Management	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Data and Information Management	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Data and Information Management	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Data and Information Management	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Establish/Maintain Documentation	Preventive
Include cookie management in the privacy framework. CC ID 13809	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain cookie management procedures. CC ID 13810	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Establish/Maintain Documentation	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Data and Information Management	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1) {refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1)]	Data and Information Management	Preventive
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Business Processes	Detective
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Establish/Maintain Documentation	Preventive
Use personal data for specified purposes. CC ID 11831	Data and Information Management	Preventive
Post the collection purpose. CC ID 00101 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Establish/Maintain Documentation	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)]	Data and Information Management	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Establish/Maintain Documentation	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Data and Information Management	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Data and Information Management	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Data and Information Management	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Behavior	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Data and Information Management	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Data and Information Management	Preventive
Establish and maintain a personal data definition. CC ID 00028	Establish/Maintain Documentation	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Data and Information Management	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Data and Information Management	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Data and Information Management	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Data and Information Management	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Data and Information Management	Preventive
Include the number of children in the personal data definition. CC ID 13759	Establish/Maintain Documentation	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Establish/Maintain Documentation	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Data and Information Management	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Data and Information Management	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Data and Information Management	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Data and Information Management	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Data and Information Management	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Data and Information Management	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Data and Information Management	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Establish/Maintain Documentation	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Establish/Maintain Documentation	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Data and Information Management	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Establish/Maintain Documentation	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Data and Information Management	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Data and Information Management	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Establish/Maintain Documentation	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Data and Information Management	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Data and Information Management	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Data and Information Management	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Data and Information Management	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Establish/Maintain Documentation	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Data and Information Management	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Data and Information Management	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Data and Information Management	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Data and Information Management	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Data and Information Management	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Data and Information Management	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Data and Information Management	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Data and Information Management	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Data and Information Management	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Data and Information Management	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Data and Information Management	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Data and Information Management	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Data and Information Management	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Data and Information Management	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Data and Information Management	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Data and Information Management	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Data and Information Management	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Data and Information Management	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Data and Information Management	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Data and Information Management	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Data and Information Management	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Data and Information Management	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Data and Information Management	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Data and Information Management	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Data and Information Management	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Data and Information Management	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Data and Information Management	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Data and Information Management	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Data and Information Management	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Data and Information Management	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Data and Information Management	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Data and Information Management	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Establish/Maintain Documentation	Preventive
Define specially restricted data. CC ID 00037	Data and Information Management	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Data and Information Management	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Data and Information Management	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Data and Information Management	Preventive
Implement a nondiscrimination principle. CC ID 00081	Data and Information Management	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Data and Information Management	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Data and Information Management	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Data and Information Management	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Technical Security	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Data and Information Management	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Data and Information Management	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Behavior	Preventive
Manage health data collection. CC ID 00050	Data and Information Management	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Data and Information Management	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Data and Information Management	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Data and Information Management	Preventive
Remove personal data before disclosing health data. CC ID 00055	Data and Information Management	Preventive
Give special attention to collecting children's data. CC ID 00038	Data and Information Management	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Behavior	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Establish/Maintain Documentation	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)]	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Data and Information Management	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Data and Information Management	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Establish/Maintain Documentation	Preventive
Collect personal data directly from the data subject. CC ID 00011	Data and Information Management	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Data and Information Management	Preventive
Provide unlinkability for users and resources. CC ID 04550	Data and Information Management	Preventive
Provide unobservability of users and resources. CC ID 04551	Technical Security	Preventive
Confirm the data quality of personal data collected from third parties. CC ID 13510	Investigate	Detective
Collect restricted data in a fair and lawful manner. CC ID 00010 [{refrain from collecting} No one shall collect another person's information through an information and communications network by an act of deceit, nor shall entice another person by an act of deceit to furnish information. Article 49-2(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)]	Data and Information Management	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Data and Information Management	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)]	Data and Information Management	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Data and Information Management	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Data and Information Management	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Data and Information Management	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Data and Information Management	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Data and Information Management	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Data and Information Management	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Data and Information Management	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Data and Information Management	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Data and Information Management	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Data and Information Management	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Data and Information Management	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Data and Information Management	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Data and Information Management	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)]	Data and Information Management	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Data and Information Management	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019	Data and Information Management	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)]	Data and Information Management	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287	Data and Information Management	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Data and Information Management	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Data and Information Management	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be necessary} Where a provider of information and communications services collects personal information of a user, he or she shall only collect personal information within the minimum scope necessary to provide information and communications services. Article 23(2)]	Data and Information Management	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Data and Information Management	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027	Data and Information Management	Preventive
Collect restricted data when required by law. CC ID 00031 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2)]	Data and Information Management	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Data and Information Management	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Data and Information Management	Preventive
Collect restricted data for legal purposes. CC ID 00036	Data and Information Management	Preventive
Review the methods for collecting personal data, as necessary. CC ID 13511	Investigate	Detective
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Establish/Maintain Documentation	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Communicate	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)]	Establish/Maintain Documentation	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Establish/Maintain Documentation	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Trade name and contact information of the other party (referring to a person who sells and/or provides goods/services in a transaction through telecommunications billing services; hereinafter referred to as "other party to a transaction"); Article 58(1)(2)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353 [{do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that divulges a secret classified by statutes or any other State secret; Article 44-7(1)(7) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Establish/Maintain Documentation	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Data and Information Management	Preventive
Protect electronic messaging information. CC ID 12022	Technical Security	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Data and Information Management	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Configuration	Preventive
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Testing	Detective
Store payment card data in secure chips, if possible. CC ID 13065	Configuration	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Configuration	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Technical Security	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Data and Information Management	Preventive
Log the disclosure of personal data. CC ID 06628	Log Management	Preventive
Log the modification of personal data. CC ID 11844	Log Management	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Technical Security	Preventive
Implement security measures to protect personal data. CC ID 13606 [The persons manufacturing and providing a basic operating system (referring to an operating environment in which softwares installed in mobile devices can be run) of mobile devices, the manufacturers of mobile devices, and the persons manufacturing and providing a software for mobile devices shall take measures necessary for protecting users' information, such as devising methods for users to give or revoke consent to access authority where the provider of information and communications services intends to access the information stored and functions installed in mobile devices. Article 22-2(3) Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Other protective measures necessary for securing safety of personal information. Article 28(1)(6) A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)]	Technical Security	Preventive
Implement physical controls to protect personal data. CC ID 00355	Testing	Preventive
Limit data leakage. CC ID 00356 [{refrain from exposing} A provider, etc. of information and communications services shall ensure that users' personal information such as resident registration numbers, account numbers and credit cards information is not exposed to the public through information and communications networks. Article 32-3(1) The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Measures for preventing leakage of important information that providers of information and communications services have learned while managing the information. Article 51(3)(3) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)]	Data and Information Management	Preventive
Conduct personal data risk assessments. CC ID 00357	Testing	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Business Processes	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Establish/Maintain Documentation	Detective
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Data and Information Management	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Data and Information Management	Detective
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Monitor and Evaluate Occurrences	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Investigate	Detective
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Behavior	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Data and Information Management	Detective
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Log Management	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Monitor and Evaluate Occurrences	Corrective
Log dates for account name changes or address changes. CC ID 04876	Log Management	Detective
Review accounts that are changed for additional user requests. CC ID 11846	Monitor and Evaluate Occurrences	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Data and Information Management	Detective
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Acquisition/Sale of Assets or Services	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Process or Activity	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Process or Activity	Preventive
Review monitored websites for data leakage. CC ID 10593	Monitor and Evaluate Occurrences	Detective
Take appropriate action when a data leakage is discovered. CC ID 14716 [{relevant authority} Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, a provider, etc. of information and communications services shall take necessary measures such as deleting and blocking exposed personal information referred to in paragraph (1). Article 32-3(2) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)]	Process or Activity	Corrective
Include text about data ownership in the data handling policy. CC ID 15720	Data and Information Management	Preventive
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain call metadata controls. CC ID 04790	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126	Data and Information Management	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Data and Information Management	Preventive
Store de-identifying code and re-identifying code separately. CC ID 16535	Data and Information Management	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Data and Information Management	Preventive
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Communicate	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756	Establish/Maintain Documentation	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Establish/Maintain Documentation	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Data and Information Management	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Data and Information Management	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Data and Information Management	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Data and Information Management	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Data and Information Management	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Data and Information Management	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Data and Information Management	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Data and Information Management	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Data and Information Management	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Data and Information Management	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Data and Information Management	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Data and Information Management	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Data and Information Management	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Data and Information Management	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Data and Information Management	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Data and Information Management	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Data and Information Management	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Data and Information Management	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Data and Information Management	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Data and Information Management	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Data and Information Management	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Data and Information Management	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Data and Information Management	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Data and Information Management	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Data and Information Management	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Data and Information Management	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Data and Information Management	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Data and Information Management	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Data and Information Management	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Data and Information Management	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Data and Information Management	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Data and Information Management	Preventive
Define an out of scope privacy breach. CC ID 04677	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Business Processes	Preventive
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Monitor and Evaluate Occurrences	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Monitor and Evaluate Occurrences	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Monitor and Evaluate Occurrences	Preventive
Conduct internal data processing audits. CC ID 00374	Testing	Detective
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Communicate	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Establish/Maintain Documentation	Preventive
Obtain consent from an individual prior to transferring personal data. CC ID 06948 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) {abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)]	Data and Information Management	Preventive
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Establish/Maintain Documentation	Preventive
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Business Processes	Preventive
Notify data subjects when their personal data is transferred. CC ID 00352 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The fact that the personal information is to be transferred; Article 26(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)]	Behavior	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Establish/Maintain Documentation	Preventive
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 [A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)]	Communicate	Preventive
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [A provider of information and communications services or similar shall, when it transfers personal information to abroad with consent under paragraph (2), take protective measures, as prescribed by Presidential Decree. Article 63(4)]	Data and Information Management	Preventive
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Data and Information Management	Preventive
Prohibit the transfer of personal data when security is inadequate. CC ID 00345	Data and Information Management	Preventive
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Data and Information Management	Preventive
Refrain from transferring past the first transfer. CC ID 00347	Data and Information Management	Preventive
Document transfer disagreements by the data subject in writing. CC ID 00348	Establish/Maintain Documentation	Preventive
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Data and Information Management	Preventive
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Records Management	Preventive
Follow the instructions of the data transferrer. CC ID 00334	Behavior	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Establish/Maintain Documentation	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Data and Information Management	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Data and Information Management	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Data and Information Management	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Data and Information Management	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Data and Information Management	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 [{abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2)]	Data and Information Management	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Data and Information Management	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Data and Information Management	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Data and Information Management	Preventive
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Data and Information Management	Preventive
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Business Processes	Preventive
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Establish/Maintain Documentation	Preventive
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Data and Information Management	Preventive
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Data and Information Management	Preventive
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Data and Information Management	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Data and Information Management	Preventive
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Data and Information Management	Preventive
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Data and Information Management	Preventive
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Data and Information Management	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Data and Information Management	Preventive
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Communicate	Preventive
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Behavior	Preventive
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Establish/Maintain Documentation	Preventive
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Data and Information Management	Preventive
Obtain consent prior to downloading software to an individual's computer. CC ID 06951 [A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Data and Information Management	Preventive
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Process or Activity	Preventive
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Process or Activity	Preventive
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Process or Activity	Preventive
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Data and Information Management	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712	Establish/Maintain Documentation	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Establish/Maintain Documentation	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Establish/Maintain Documentation	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Establish/Maintain Documentation	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Establish/Maintain Documentation	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Establish/Maintain Documentation	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Establish/Maintain Documentation	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Establish/Maintain Documentation	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Business Processes	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Communicate	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490	Human Resources Management	Detective
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [The operator or the manager of the Internet website may take measures, such as deletion of advertising information for profit posted, in violation of paragraph (1) or (2). Article 50-7(3) A provider of information and communications services may, if it finds that information circulated through the information and communications network operated and managed by him or her intrudes on someone's privacy, defames someone, or violates someone's rights, take temporary measures at its discretion. Article 44-3(1)]	Data and Information Management	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Behavior	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Data and Information Management	Corrective
File privacy rights violation complaints in writing. CC ID 00477	Establish/Maintain Documentation	Corrective
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Establish/Maintain Documentation	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Establish/Maintain Documentation	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Behavior	Corrective
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Business Processes	Preventive
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Behavior	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Data and Information Management	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Behavior	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Data and Information Management	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Data and Information Management	Corrective
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Every provider of telecommunications billing services may install and operate an institution or organization that voluntary resolves disputes to protect rights and interests of users. Article 59(1) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Establish/Maintain Documentation	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Establish/Maintain Documentation	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Establish/Maintain Documentation	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Establish/Maintain Documentation	Preventive
Document unresolved challenges. CC ID 13568	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Establish/Maintain Documentation	Preventive
Notify individuals of their right to challenge personal data. CC ID 00457 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)]	Data and Information Management	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Data and Information Management	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Configuration	Preventive
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Human Resources Management	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Data and Information Management	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Communicate	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Data and Information Management	Preventive
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Behavior	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Behavior	Corrective
Notify third parties of unresolved challenges. CC ID 13559	Communicate	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)]	Establish/Maintain Documentation	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Establish/Maintain Documentation	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Data and Information Management	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Behavior	Detective
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Business Processes	Corrective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Behavior	Detective
Include the allegations against the organization in the notice of investigation. CC ID 13031	Establish/Maintain Documentation	Preventive
Investigate privacy rights violation complaints in private. CC ID 00492	Behavior	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Behavior	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Behavior	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{relevant authority} If parties fail to or are unable to reach an agreement on compensation for damages under paragraph (2), either party may file an application for decision with the Korea Communications Commission. Article 60(3)]	Behavior	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Behavior	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Behavior	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Behavior	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Behavior	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Behavior	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Communicate	Corrective
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Establish/Maintain Documentation	Corrective
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Behavior	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Establish/Maintain Documentation	Detective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Behavior	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Behavior	Corrective
Award damages based on applicable law. CC ID 00501 [A provider of telecommunications billing services shall negotiate with the claimant to damages for agreement on compensation for the damages under paragraph (1). Article 60(2)]	Behavior	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Data and Information Management	Corrective
Define the organization's liability based on the applicable law. CC ID 00504 [If the trustee violates any provision of this Chapter in connection with the business affairs related to the entrustment of management of personal information and inflicts damages upon a user, the trustee shall be deemed an employee of the provider of information and communications services or similar in determining liability for such damages. Article 25(5) A provider of information and communications services may, if he or she takes necessary measures under paragraph (2) for the informations circulated through the information and communications network operated and managed by it, have its liability for damages caused by such informations mitigated or discharged. Article 44-2(6) A provider of telecommunications billing services shall be liable for damages caused to a user of the telecommunications billing services while rendering the services: Provided, That the same shall not apply in cases where the damages were caused by an intentional act or gross negligence on the part of the user of the telecommunications billing services. Article 60(1)]	Establish/Maintain Documentation	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Establish/Maintain Documentation	Preventive
Define the appeal process based on the applicable law. CC ID 00506	Establish/Maintain Documentation	Preventive
Define the fee structure for the appeal process. CC ID 16532	Process or Activity	Preventive
Define the time requirements for the appeal process. CC ID 16531	Process or Activity	Preventive
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Communicate	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Communicate	Preventive
Provide notice of proposed penalties. CC ID 06216	Establish/Maintain Documentation	Preventive
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Behavior	Preventive
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Testing	Detective
Establish, implement, and maintain an anti-spam policy. CC ID 00283	Establish/Maintain Documentation	Preventive
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically register telephone numbers or email addresses for the purpose of transmitting advertising information for profit; Article 50(5)(3) {refrain from posting} Notwithstanding paragraph (1), where the operator or the manager of an Internet website explicitly expresses his or her intention to refuse to post a notice or to revoke his or her prior consent, no person who intends to post advertising information for profit shall post advertising information for profit. Article 50-7(2)]	Communicate	Preventive
Include contact information in commercial electronic messages. CC ID 15457 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: The name and contact details of a sender; Article 50(4)(1)]	Business Processes	Preventive
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to hide the identity of the sender of advertising information or the source from which advertising is transmitted; Article 50(5)(4) {refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to induce an addressee to reply by deceiving him or her for the purpose of transmitting advertising information for profit. Article 50(5)(5)]	Behavior	Preventive
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically generate an addressee's contact information, such as telephone numbers and email addresses, by combining figures, codes, or letters; Article 50(5)(2)]	Behavior	Preventive
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300	Establish/Maintain Documentation	Preventive
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 [If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Article 50(1)]	Behavior	Preventive
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a person who has directly collected contact details from the addressee in his or her dealings of goods, etc. intends to transmit advertising information for profit on the same kinds of goods, etc. as those he or she manages and has dealt with the addressee within a period prescribed by Presidential Decree; Article 50(1)(1) {refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)]	Behavior	Preventive
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: Matters concerning measures and methods by which an addressee can easily express his or her intention to refuse to receive information or to revoke his or her consent to receive information. Article 50(4)(2)]	Data and Information Management	Preventive

Records management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Records management CC ID 00902	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain records management policies. CC ID 00903	Establish/Maintain Documentation	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Establish/Maintain Documentation	Detective
Establish, implement, and maintain a data retention program. CC ID 00906	Establish/Maintain Documentation	Detective
Maintain continued integrity for all stored data and stored records. CC ID 00969 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of ound-color:#F0BBBC;" class="term_primary-noun">access records; Article 28(1)(3)]	Testing	Detective
Determine how long to keep records and logs before disposing them. CC ID 11661	Process or Activity	Preventive
Retain records in accordance with applicable requirements. CC ID 00968 [{be impossible} An information provider specified by Presidential Decree among those who engage in a business of providing unwholesome media for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in a way to make it impossible to store or record the unwholesome media in a user's computer shall keep relevant information. Article 43(1) Every provider of telecommunications billing services shall preserve records of telecommunications billing services during the period, within the limit of five years, prescribed by Presidential Decree. Article 58(4)]	Records Management	Preventive
Establish, implement, and maintain records management procedures. CC ID 11619	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)]	Establish Roles	Preventive
Compare each record's data input to its final form. CC ID 11813	Records Management	Detective
Sanitize user input in accordance with organizational standards. CC ID 16856	Process or Activity	Preventive
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Data and Information Management	Preventive
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747	Establish/Maintain Documentation	Preventive
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records Management	Detective
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 [A person who provides information to the general public purposely to make it public through telecommunications services rendered by a telecommunications business operator (hereinafter referred to as "information provider") and who intends to provide any unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act shall put a label indicating that the information is an unwholesome medium for juvenile by the labeling method specified by Presidential Decree. Article 42 ¶ 1]	Establish/Maintain Documentation	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Establish/Maintain Documentation	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Establish/Maintain Documentation	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Establish/Maintain Documentation	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Establish/Maintain Documentation	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Establish/Maintain Documentation	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Data and Information Management	Preventive
Establish, implement, and maintain online storage controls. CC ID 00942	Technical Security	Preventive
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records Management	Preventive
Provide encryption for different types of electronic storage media. CC ID 00945 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)]	Technical Security	Preventive

System hardening through configuration management

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
System hardening through configuration management CC ID 00860	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain system hardening procedures. CC ID 12001	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain authenticators. CC ID 15305	Technical Security	Preventive
Establish, implement, and maintain an authenticator standard. CC ID 01702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an authenticator management system. CC ID 12031	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain authenticator procedures. CC ID 12002 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of access records; Article 28(1)(3)]	Establish/Maintain Documentation	Preventive
Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127	Technical Security	Preventive
Configure authenticators to comply with organizational standards. CC ID 06412	Configuration	Preventive
Configure the system to require new users to change their authenticator on first use. CC ID 05268	Configuration	Preventive
Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519	Configuration	Preventive
Change the authenticator for shared accounts when the group membership changes. CC ID 14249	Business Processes	Corrective
Configure the system to prevent unencrypted authenticator use. CC ID 04457	Configuration	Preventive
Disable store passwords using reversible encryption. CC ID 01708	Configuration	Preventive
Configure the system to encrypt authenticators. CC ID 06735	Configuration	Preventive
Configure the system to mask authenticators. CC ID 02037	Configuration	Preventive
Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992	Configuration	Preventive
Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717	Establish/Maintain Documentation	Preventive
Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718	Establish/Maintain Documentation	Preventive
Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783	Configuration	Preventive
Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719	Establish/Maintain Documentation	Preventive
Disable machine account password changes. CC ID 01737	Configuration	Preventive
Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720	Establish/Maintain Documentation	Preventive
Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722	Establish/Maintain Documentation	Preventive
Configure the "password reuse" setting to organizational standards. CC ID 08724	Establish/Maintain Documentation	Preventive
Configure the "Disable Remember Password" setting. CC ID 05270	Configuration	Preventive
Configure the "Minimum password age" to organizational standards. CC ID 01703	Configuration	Preventive
Configure the LILO/GRUB password. CC ID 01576	Configuration	Preventive
Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481	Configuration	Preventive
Change the default password to Apple's Keychain. CC ID 04482	Configuration	Preventive
Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483	Configuration	Preventive
Configure the Syskey Encryption Key and associated password. CC ID 05978	Configuration	Preventive
Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505	Configuration	Preventive
Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534	Configuration	Preventive
Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267	Configuration	Preventive
Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269	Configuration	Preventive
Configure the "Send LanMan compatible password" setting. CC ID 05271	Configuration	Preventive
Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993	Configuration	Preventive
Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054	Configuration	Preventive
Set the default folder for BitLocker recovery passwords correctly. CC ID 06055	Configuration	Preventive
Notify affected parties to keep authenticators confidential. CC ID 06787	Behavior	Preventive
Discourage affected parties from recording authenticators. CC ID 06788	Behavior	Preventive
Ensure the root account is the first entry in password files. CC ID 16323	Data and Information Management	Detective
Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721	Establish/Maintain Documentation	Preventive
Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723	Establish/Maintain Documentation	Preventive
Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866	Configuration	Preventive
Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185	Configuration	Preventive
Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187	Configuration	Preventive
Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296	Configuration	Preventive
Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355	Configuration	Preventive

Systems design, build, and implementation

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Systems design, build, and implementation CC ID 00989	IT Impact Zone	IT Impact Zone
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems Design, Build, and Implementation	Preventive
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems Design, Build, and Implementation	Preventive
Develop new products based on best practices. CC ID 01095	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain a system design specification. CC ID 04557	Establish/Maintain Documentation	Preventive
Include security requirements in the system design specification. CC ID 06826 [{take into account} A provider of information and communications services shall, if he or she intends to newly establish an information and communications network or to provide information and communications services, take the matters regarding information protection into account in planning or designing thereof. Article 45-2(1)]	Systems Design, Build, and Implementation	Preventive
Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793	Establish/Maintain Documentation	Preventive
Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639	Monitor and Evaluate Occurrences	Detective

Technical security

215

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Technical security CC ID 00508	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a digital identity management program. CC ID 13713	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain digital identification procedures. CC ID 13714 [Any of the following persons shall, if he or she intends to install and operate a message board, take necessary measures, as prescribed by Presidential Decree (hereinafter referred to as "measures for identity verification"), including preparation of methods and procedures for verifying identity of users of the message board: Article 44-5(1) {refrain from using} Even where the collection/use of users' resident registration numbers is authorized pursuant to paragraph (1) 2 or 3, an identification method without using the users' resident registration numbers (hereinafter referred to as "alternative means") shall be provided. Article 23-2(2)]	Establish/Maintain Documentation	Preventive
Implement digital identification processes. CC ID 13731	Process or Activity	Preventive
Implement identity proofing processes. CC ID 13719	Process or Activity	Preventive
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Process or Activity	Preventive
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Process or Activity	Preventive
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Process or Activity	Detective
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Process or Activity	Preventive
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Establish/Maintain Documentation	Preventive
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Configuration	Preventive
Interact with the data subject when performing remote proofing. CC ID 13777	Process or Activity	Detective
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Process or Activity	Preventive
View all applicant actions when performing remote proofing. CC ID 13804	Process or Activity	Detective
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Process or Activity	Preventive
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Process or Activity	Detective
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Process or Activity	Detective
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Process or Activity	Preventive
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Process or Activity	Preventive
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Process or Activity	Detective
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Process or Activity	Preventive
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Configuration	Preventive
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Configuration	Preventive
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Configuration	Preventive
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Process or Activity	Preventive
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Process or Activity	Detective
Validate proof of identity during the identity proofing process. CC ID 13756	Process or Activity	Detective
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Business Processes	Detective
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Process or Activity	Detective
Verify proof of identity records. CC ID 13761	Investigate	Detective
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Process or Activity	Detective
Allow records that relate to the data subject as proof of identity. CC ID 13772	Process or Activity	Preventive
Conduct in-person proofing with physical interactions. CC ID 13775	Process or Activity	Detective
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Process or Activity	Preventive
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Process or Activity	Preventive
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Process or Activity	Preventive
Refrain from approving attributes in the identity proofing process. CC ID 13716	Process or Activity	Preventive
Reperform the identity proofing process for each individual, as necessary. CC ID 13762	Process or Activity	Detective
Establish, implement, and maintain an access control program. CC ID 11702	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Establish/Maintain Documentation	Preventive
Control access rights to organizational assets. CC ID 00004	Technical Security	Preventive
Establish access rights based on least privilege. CC ID 01411 [Every provider of information and communications services or similar shall restrict the persons who may manage users' C;" class="term_primary-noun">personal information to the minimum extent. Every provider of information and communications services or similar shall restrict the persons who may manage users' personal information to the minimum extent. Article 28(2)]	Technical Security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical Security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical Security	Preventive
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Configuration	Preventive
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Establish Roles	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)]	Data and Information Management	Preventive
Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Technical Security	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Installation> and operation of an access control devicean>, such as a system for blocking intrusion to cut off illegal access to personal information; Article 28(1)(2)]	Establish/Maintain Documentation	Preventive
Implement out-of-band authentication, as necessary. CC ID 10606	Technical Security	Corrective
Grant access to authorized personnel or systems. CC ID 12186	Configuration	Preventive
Document approving and granting access in the access control log. CC ID 06786	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Communicate	Preventive
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171	Establish/Maintain Documentation	Preventive
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Establish/Maintain Documentation	Preventive
Include the date and time that access was reviewed in the system record. CC ID 16416	Data and Information Management	Preventive
Include the date and time that access rights were changed in the system record. CC ID 16415	Establish/Maintain Documentation	Preventive
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Communicate	Corrective
Identify and control all network access controls. CC ID 00529	Technical Security	Preventive
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Establish/Maintain Documentation	Preventive
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)]	Configuration	Preventive
Protect data stored at external locations. CC ID 16333	Data and Information Management	Preventive
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Configuration	Detective
Protect the firewall's network connection interfaces. CC ID 01955	Technical Security	Preventive
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547	Configuration	Preventive
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Configuration	Preventive
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Configuration	Preventive
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Configuration	Preventive
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Configuration	Preventive
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Configuration	Preventive
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Configuration	Preventive
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Configuration	Preventive
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Configuration	Preventive
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Configuration	Preventive
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Configuration	Preventive
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Configuration	Preventive
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Configuration	Preventive
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Testing	Detective
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical Security	Preventive
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical Security	Preventive
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Data and Information Management	Preventive
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Data and Information Management	Preventive
Synchronize and secure all router configuration files. CC ID 01291	Configuration	Preventive
Synchronize and secure all firewall configuration files. CC ID 11851	Configuration	Preventive
Configure firewalls to generate an audit log. CC ID 12038	Audits and Risk Management	Preventive
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Configuration	Preventive
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Establish/Maintain Documentation	Preventive
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Establish/Maintain Documentation	Preventive
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Establish/Maintain Documentation	Preventive
Configure network access and control points to organizational standards. CC ID 12442	Configuration	Detective
Enforce information flow control. CC ID 11781	Monitor and Evaluate Occurrences	Preventive
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Establish/Maintain Documentation	Preventive
Constrain the information flow of restricted data or restricted information. CC ID 06763 [The Government may have providers or users of information and communications services to take necessary measures to prevent outflow " class="term_primary-noun">abroad of any important pan style="background-color:#F0BBBC;" class="term_primary-noun">information about industry, economy, science, technology, etc. of this county through information and communications networks. The Government may have providers or users of information and communications services to take necessary measures to prevent outflow abroad of any important information about industry, economy, science, technology, etc. of this county through information and communications networks. Article 51(1)]	Data and Information Management	Preventive
Quarantine data that fails security tests. CC ID 16500	Data and Information Management	Corrective
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453	Data and Information Management	Preventive
Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725	Data and Information Management	Preventive
Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310	Data and Information Management	Preventive
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)]	Technical Security	Preventive
Comply with the encryption laws of the local country. CC ID 16377	Business Processes	Preventive
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542	Establish/Maintain Documentation	Preventive
Define the cryptographic boundaries. CC ID 06543	Establish/Maintain Documentation	Preventive
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544	Establish/Maintain Documentation	Preventive
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545	Establish/Maintain Documentation	Preventive
Implement the documented cryptographic module security functions. CC ID 06755	Data and Information Management	Preventive
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547	Establish/Maintain Documentation	Preventive
Document the operation of the cryptographic module. CC ID 06546	Establish/Maintain Documentation	Preventive
Employ cryptographic controls that comply with applicable requirements. CC ID 12491	Technical Security	Preventive
Establish, implement, and maintain digital signatures. CC ID 13828	Data and Information Management	Preventive
Include the expiration date in digital signatures. CC ID 13833	Data and Information Management	Preventive
Include audience restrictions in digital signatures. CC ID 13834	Data and Information Management	Preventive
Include the subject in digital signatures. CC ID 13832	Data and Information Management	Preventive
Include the issuer in digital signatures. CC ID 13831	Data and Information Management	Preventive
Include identifiers in the digital signature. CC ID 13829	Data and Information Management	Preventive
Generate and protect a secret random number for each digital signature. CC ID 06577	Establish/Maintain Documentation	Preventive
Establish the security strength requirements for the digital signature process. CC ID 06578	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546	Establish/Maintain Documentation	Preventive
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823	Configuration	Preventive
Encrypt in scope data or in scope information, as necessary. CC ID 04824	Data and Information Management	Preventive
Digitally sign records and data, as necessary. CC ID 16507	Data and Information Management	Preventive
Make key usage for data fields unique for each device. CC ID 04828	Technical Security	Preventive
Decrypt restricted data for the minimum time required. CC ID 12308	Data and Information Management	Preventive
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Data and Information Management	Preventive
Accept only trusted keys and/or certificates. CC ID 11988	Technical Security	Preventive
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575	Data and Information Management	Preventive
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584	Process or Activity	Preventive
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585	Process or Activity	Preventive
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Communicate	Preventive
Define the format of the biometric data on identification cards or badges. CC ID 06586	Process or Activity	Preventive
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Data and Information Management	Preventive
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040	Establish/Maintain Documentation	Preventive
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477	Communicate	Preventive
Establish, implement, and maintain encryption management procedures. CC ID 15475	Establish/Maintain Documentation	Preventive
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470	Establish Roles	Preventive
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571	Establish/Maintain Documentation	Preventive
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Communicate	Preventive
Bind keys to each identity. CC ID 12337	Technical Security	Preventive
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Establish/Maintain Documentation	Preventive
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Establish/Maintain Documentation	Preventive
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Data and Information Management	Preventive
Generate strong cryptographic keys. CC ID 01299	Data and Information Management	Preventive
Generate unique cryptographic keys for each user. CC ID 12169	Technical Security	Preventive
Use approved random number generators for creating cryptographic keys. CC ID 06574	Data and Information Management	Preventive
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical Security	Preventive
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Establish/Maintain Documentation	Preventive
Disseminate and communicate cryptographic keys securely. CC ID 01300	Data and Information Management	Preventive
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Data and Information Management	Preventive
Store cryptographic keys securely. CC ID 01298	Data and Information Management	Preventive
Restrict access to cryptographic keys. CC ID 01297	Data and Information Management	Preventive
Store cryptographic keys in encrypted format. CC ID 06084	Data and Information Management	Preventive
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical Security	Preventive
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Establish/Maintain Documentation	Preventive
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Data and Information Management	Preventive
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Data and Information Management	Preventive
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Data and Information Management	Preventive
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Data and Information Management	Preventive
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical Security	Preventive
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Data and Information Management	Corrective
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Data and Information Management	Corrective
Archive outdated cryptographic keys. CC ID 06884	Data and Information Management	Preventive
Archive revoked cryptographic keys. CC ID 11819	Data and Information Management	Preventive
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Establish/Maintain Documentation	Preventive
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Human Resources Management	Preventive
Test cryptographic key management applications, as necessary. CC ID 04829	Testing	Detective
Manage the digital signature cryptographic key pair. CC ID 06576	Data and Information Management	Preventive
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Establish/Maintain Documentation	Preventive
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Establish Roles	Preventive
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Establish/Maintain Documentation	Preventive
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Establish/Maintain Documentation	Preventive
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Establish/Maintain Documentation	Preventive
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Establish/Maintain Documentation	Preventive
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Establish/Maintain Documentation	Preventive
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical Security	Preventive
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical Security	Preventive
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Establish/Maintain Documentation	Preventive
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Establish/Maintain Documentation	Preventive
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Establish/Maintain Documentation	Preventive
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Establish/Maintain Documentation	Preventive
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical Security	Preventive
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Records Management	Preventive
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153	Technical Security	Preventive
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154	Technical Security	Preventive
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)]	Technical Security	Preventive
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Configuration	Preventive
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical Security	Preventive
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical Security	Preventive
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Establish/Maintain Documentation	Preventive
Implement non-repudiation for transactions. CC ID 00567	Testing	Detective
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical Security	Preventive
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical Security	Preventive
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical Security	Preventive
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical Security	Preventive
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical Security	Preventive
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical Security	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that mutilates, destroys, alters, or forges an information and communications system, data, a program, or similar or that interferes with the operation of such system, data, program, or similar without a justifiable ground; Article 44-7(1)(4)]	Establish/Maintain Documentation	Preventive
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485	Communicate	Preventive
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484	Communicate	Preventive
Establish, implement, and maintain malicious code protection procedures. CC ID 15483	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain a malicious code protection policy. CC ID 15478	Establish/Maintain Documentation	Preventive
Restrict downloading to reduce malicious code attacks. CC ID 04576	Behavior	Preventive
Install security and protection software, as necessary. CC ID 00575 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5)]	Configuration	Preventive
Install and maintain container security solutions. CC ID 16178	Technical Security	Preventive
Scan for malicious code, as necessary. CC ID 11941	Investigate	Detective
Test all removable storage media for viruses and malicious code. CC ID 11861	Testing	Detective
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Testing	Detective
Remove malware when malicious code is discovered. CC ID 13691	Process or Activity	Corrective
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Communicate	Corrective
Protect the system against replay attacks. CC ID 04552	Technical Security	Preventive
Define and assign roles and responsibilities for malicious code protection. CC ID 15474	Establish Roles	Preventive
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310	Establish/Maintain Documentation	Corrective
Log and react to all malicious code activity. CC ID 07072	Monitor and Evaluate Occurrences	Detective
Analyze the behavior and characteristics of the malicious code. CC ID 10672	Technical Security	Detective
Incorporate the malicious code analysis into the patch management program. CC ID 10673	Technical Security	Corrective
Lock antivirus configurations. CC ID 10047	Configuration	Preventive

Third Party and supply chain oversight

151

Mandated - bold Implied - italic Implementation - regular	TYPE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Third Party and supply chain oversight CC ID 08807	IT Impact Zone	IT Impact Zone
Establish, implement, and maintain a supply chain management program. CC ID 11742 [A person who has commissioned a third party to transmit advertising information for profit on his or her behalf shall control and oversee the person to whom the transmission was commissioned to ensure that the person does not violate Article 50. Article 50-3(1) A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)]	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If transmission or reception of advertising information hinders or is likely to hinder rendering the services; Article 50-4(1)(1) Any provider of information and communications services or similar shall not conclude an international contract with any term or condition in violation of this Act with respect to personal information of users. Article 63(1) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)]	Establish/Maintain Documentation	Preventive
Review and update all contracts, as necessary. CC ID 11612	Establish/Maintain Documentation	Preventive
Terminate supplier relationships, as necessary. CC ID 13489 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)]	Business Processes	Corrective
Document and maintain supply chain processes. CC ID 08816	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain an exit plan. CC ID 15492	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the exit plan. CC ID 15497	Establish/Maintain Documentation	Preventive
Test the exit plan, as necessary. CC ID 15495	Testing	Preventive
Include contingency plans in the third party management plan. CC ID 10030	Establish/Maintain Documentation	Preventive
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768	Systems Continuity	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)]	Process or Activity	Detective
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Establish/Maintain Documentation	Preventive
Include a description of the product or service to be provided in third party contracts. CC ID 06509	Establish/Maintain Documentation	Preventive
Include a description of the products or services fees in third party contracts. CC ID 10018	Establish/Maintain Documentation	Preventive
Include which parties are responsible for which fees in third party contracts. CC ID 10019	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543	Establish/Maintain Documentation	Preventive
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Establish/Maintain Documentation	Preventive
Include the security requirements in the information flow agreement. CC ID 14244	Establish/Maintain Documentation	Preventive
Include the interface characteristics in the information flow agreement. CC ID 14240	Establish/Maintain Documentation	Preventive
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528	Establish/Maintain Documentation	Preventive
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529	Establish/Maintain Documentation	Preventive
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020	Establish/Maintain Documentation	Preventive
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Establish/Maintain Documentation	Preventive
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610	Business Processes	Preventive
Include text about data ownership in third party contracts. CC ID 06502	Establish/Maintain Documentation	Preventive
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503	Establish/Maintain Documentation	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Establish/Maintain Documentation	Preventive
Include the contract duration in third party contracts. CC ID 16221	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487	Establish/Maintain Documentation	Preventive
Include cryptographic keys in third party contracts. CC ID 16179	Establish/Maintain Documentation	Preventive
Include bankruptcy provisions in third party contracts. CC ID 16519	Establish/Maintain Documentation	Preventive
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Establish/Maintain Documentation	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Establish/Maintain Documentation	Preventive
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507	Establish/Maintain Documentation	Preventive
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508	Establish/Maintain Documentation	Preventive
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513	Establish/Maintain Documentation	Preventive
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515	Establish/Maintain Documentation	Preventive
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504	Establish/Maintain Documentation	Preventive
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518	Establish/Maintain Documentation	Preventive
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525	Establish/Maintain Documentation	Preventive
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530	Establish/Maintain Documentation	Preventive
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Establish/Maintain Documentation	Preventive
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531	Establish/Maintain Documentation	Preventive
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878	Establish/Maintain Documentation	Preventive
Include a reporting structure in third party contracts. CC ID 06532	Establish/Maintain Documentation	Preventive
Include points of contact in third party contracts. CC ID 12355	Establish/Maintain Documentation	Preventive
Include financial reporting in third party contracts, as necessary. CC ID 13573	Establish/Maintain Documentation	Preventive
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512	Establish/Maintain Documentation	Preventive
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514	Establish/Maintain Documentation	Preventive
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516	Establish/Maintain Documentation	Preventive
Include training requirements in third party contracts. CC ID 16367	Acquisition/Sale of Assets or Services	Preventive
Include an indemnification and liability clause in third party contracts. CC ID 06517	Establish/Maintain Documentation	Preventive
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521	Establish/Maintain Documentation	Preventive
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522	Establish/Maintain Documentation	Preventive
Include text regarding foreign-based third parties in third party contracts. CC ID 06722	Establish/Maintain Documentation	Preventive
Include change control clauses in third party contracts, as necessary. CC ID 06523	Establish/Maintain Documentation	Preventive
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115	Establish/Maintain Documentation	Preventive
Include triggers for renegotiating the contract in third party contracts. CC ID 06527	Establish/Maintain Documentation	Preventive
Include change control notification processes in third party contracts. CC ID 06524 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)]	Establish/Maintain Documentation	Preventive
Include cost structure changes in third party contracts. CC ID 10021	Establish/Maintain Documentation	Preventive
Include a choice of venue clause in third party contracts. CC ID 06520	Establish/Maintain Documentation	Preventive
Include a dispute resolution clause in third party contracts. CC ID 06519 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Establish/Maintain Documentation	Preventive
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Establish/Maintain Documentation	Preventive
Include a termination provision clause in third party contracts. CC ID 01367 [If a provider of information and communications services intends to take any measure for refusal under paragraph (1) or (4), he or she shall include matters concerning the refusal of the relevant services in the terms and conditions of a contract for use of information and communications services which he or she concludes with the user of such services. Article 50-4(2)]	Establish/Maintain Documentation	Detective
Include early termination contingency plans in the third party contracts. CC ID 06526	Establish/Maintain Documentation	Preventive
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Establish/Maintain Documentation	Preventive
Include termination costs in third party contracts. CC ID 10023	Establish/Maintain Documentation	Preventive
Include text about obtaining adequate insurance in third party contracts. CC ID 06880	Establish/Maintain Documentation	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214	Establish/Maintain Documentation	Preventive
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3) A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)]	Establish/Maintain Documentation	Preventive
Include end-of-life information in third party contracts. CC ID 15265	Establish/Maintain Documentation	Preventive
Include third party requirements for personnel security in third party contracts. CC ID 00790	Testing	Detective
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 [A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)]	Establish/Maintain Documentation	Preventive
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364	Testing	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Testing	Detective
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Establish/Maintain Documentation	Preventive
Establish the third party's service continuity. CC ID 00797	Testing	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Testing	Detective
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Data and Information Management	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Testing	Detective
Include disclosure requirements in third party contracts. CC ID 08825	Business Processes	Preventive
Include requirements for alternate processing facilities in third party contracts. CC ID 13059	Establish/Maintain Documentation	Preventive
Document the organization's supply chain in the supply chain management program. CC ID 09958	Establish/Maintain Documentation	Preventive
Document supply chain dependencies in the supply chain management program. CC ID 08900	Establish/Maintain Documentation	Detective
Establish and maintain a Third Party Service Provider list. CC ID 12480	Establish/Maintain Documentation	Preventive
Include required information in the Third Party Service Provider list. CC ID 14429	Establish/Maintain Documentation	Preventive
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Establish/Maintain Documentation	Preventive
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Establish/Maintain Documentation	Preventive
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Communicate	Preventive
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Establish/Maintain Documentation	Preventive
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Establish/Maintain Documentation	Preventive
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481	Establish/Maintain Documentation	Preventive
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Establish/Maintain Documentation	Preventive
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Establish/Maintain Documentation	Preventive
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Establish/Maintain Documentation	Preventive
Document supply chain transactions in the supply chain management program. CC ID 08857	Business Processes	Preventive
Document the supply chain's critical paths in the supply chain management program. CC ID 10032	Establish/Maintain Documentation	Preventive
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558	Establish/Maintain Documentation	Preventive
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561	Physical and Environmental Protection	Preventive
Establish, implement, and maintain Operational Level Agreements. CC ID 13637	Establish/Maintain Documentation	Preventive
Include technical processes in operational level agreements, as necessary. CC ID 13639	Establish/Maintain Documentation	Preventive
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838	Process or Activity	Preventive
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842	Establish/Maintain Documentation	Detective
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Establish Roles	Preventive
Approve all Service Level Agreements. CC ID 00843	Establish/Maintain Documentation	Detective
Track all chargeable items in Service Level Agreements. CC ID 11616	Business Processes	Detective
Document all chargeable items in Service Level Agreements. CC ID 00844	Establish/Maintain Documentation	Detective
Enforce third party Service Level Agreements, as necessary. CC ID 07098	Business Processes	Corrective
Categorize all suppliers in the supply chain management program. CC ID 00792	Establish/Maintain Documentation	Preventive
Include risk management procedures in the supply chain management policy. CC ID 08811	Establish/Maintain Documentation	Preventive
Perform risk assessments of third parties, as necessary. CC ID 06454	Testing	Detective
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Business Processes	Preventive
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Establish/Maintain Documentation	Preventive
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Establish/Maintain Documentation	Preventive
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Business Processes	Preventive
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Establish/Maintain Documentation	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Establish/Maintain Documentation	Preventive
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158	Audits and Risk Management	Detective
Establish, implement, and maintain a supply chain management policy. CC ID 08808	Establish/Maintain Documentation	Preventive
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397	Business Processes	Preventive
Require third parties to employ a Chief Information Security Officer. CC ID 12057	Human Resources Management	Preventive
Include supplier assessment principles in the supply chain management policy. CC ID 08809	Establish/Maintain Documentation	Preventive
Include the third party selection process in the supply chain management policy. CC ID 13132	Establish/Maintain Documentation	Preventive
Select suppliers based on their qualifications. CC ID 00795	Establish/Maintain Documentation	Preventive
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133	Establish/Maintain Documentation	Preventive
Include a clear management process in the supply chain management policy. CC ID 08810	Establish/Maintain Documentation	Preventive
Include roles and responsibilities in the supply chain management policy. CC ID 15499	Establish/Maintain Documentation	Preventive
Include third party due diligence standards in the supply chain management policy. CC ID 08812	Establish/Maintain Documentation	Preventive
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493	Communicate	Preventive
Require suppliers to commit to the supply chain management policy. CC ID 08813	Establish/Maintain Documentation	Preventive
Support third parties in building their capabilities. CC ID 08814	Business Processes	Preventive
Implement measurable improvement plans with all third parties. CC ID 08815	Business Processes	Preventive
Post a list of compliant third parties on the organization's website. CC ID 08817	Business Processes	Preventive
Use third parties that are compliant with the applicable requirements. CC ID 08818	Business Processes	Preventive
Establish, implement, and maintain a conflict minerals policy. CC ID 08943	Establish/Maintain Documentation	Preventive
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944	Establish/Maintain Documentation	Preventive
Include all in scope materials in the conflict minerals policy. CC ID 08945	Establish/Maintain Documentation	Preventive
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946	Establish/Maintain Documentation	Preventive
Include all applicable authority documents in the conflict minerals policy. CC ID 08947	Establish/Maintain Documentation	Preventive
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948	Establish/Maintain Documentation	Preventive
Make the conflict minerals policy Publicly Available Information. CC ID 08949	Data and Information Management	Preventive
Establish and maintain a conflict materials report. CC ID 08823	Establish/Maintain Documentation	Preventive
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820	Establish/Maintain Documentation	Preventive
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821	Establish/Maintain Documentation	Preventive
Identify supply sources for secondary materials. CC ID 08822	Business Processes	Preventive
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891	Business Processes	Preventive
Establish, implement, and maintain outsourcing contracts. CC ID 13124	Establish/Maintain Documentation	Preventive
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{business affair}{personal information} A trustee may re-entrust a third party with affairs entrusted pursuant to paragraph (1) only where the trustee obtains consent from the provider, etc. of information and communications services. Article 25(7)]	Establish/Maintain Documentation	Preventive

Common Controls and
mandates by Type 190 Mandated Controls - bold
114 Implied Controls - italic 2101 Implementation

Number of Controls

2405 Total

Acquisition/Sale of Assets or Services

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Preventive
Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 [Every business operator of clustered information and communications facilities shall purchase insurance policies as prescribed by Presidential Decree to cover damages that may be caused by destruction or damage of the clustered information and communications facilities or any other trouble in operation. Article 46(2)]	Operational and Systems Continuity	Preventive
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Preventive
Include training requirements in third party contracts. CC ID 16367	Third Party and supply chain oversight	Preventive

Actionable Reports or Measurements

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Operational management	Corrective
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Preventive
Mitigate reported incidents. CC ID 12973 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)]	Operational management	Preventive

Audits and Risk Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Configure firewalls to generate an audit log. CC ID 12038	Technical security	Preventive
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158	Third Party and supply chain oversight	Detective

Behavior

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Restrict downloading to reduce malicious code attacks. CC ID 04576	Technical security	Preventive
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Preventive
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Preventive
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Preventive
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Preventive
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Preventive
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Physical and environmental protection	Preventive
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Physical and environmental protection	Preventive
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Physical and environmental protection	Preventive
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Physical and environmental protection	Preventive
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Physical and environmental protection	Preventive
Train all new hires, as necessary. CC ID 06673	Human Resources management	Preventive
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Human Resources management	Preventive
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Human Resources management	Preventive
Train all personnel and third parties, as necessary. CC ID 00785 [A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)]	Human Resources management	Preventive
Retrain all personnel, as necessary. CC ID 01362	Human Resources management	Preventive
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Human Resources management	Preventive
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Human Resources management	Preventive
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Human Resources management	Preventive
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Human Resources management	Preventive
Conduct Archives and Records Management training. CC ID 00975	Human Resources management	Preventive
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Human Resources management	Preventive
Conduct secure coding and development training for developers. CC ID 06822	Human Resources management	Corrective
Conduct crime prevention training. CC ID 06350	Human Resources management	Preventive
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719	Human Resources management	Preventive
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442	Human Resources management	Corrective
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435	Human Resources management	Preventive
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Preventive
Share data loss event information with the media. CC ID 01759	Operational management	Corrective
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Corrective
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)]	Operational management	Corrective
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Detective
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Corrective
Avoid false positive incident response notifications. CC ID 04732	Operational management	Detective
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Corrective
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Corrective
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Corrective
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Corrective
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Preventive
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Preventive
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Corrective
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Preventive
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Corrective
Disseminate and communicate software update information to users and regulators. CC ID 06602 [{relevant authority} A software business operator under Article 2 of the Software Industry Promotion Act shall, when he or she produced a program that improves weaknesses in security, notify the Korea Internet and Security Agency of its production, and shall notify users of the software of the production at least twice within one month from the date of production. Article 47-4(3)]	Operational management	Preventive
Notify affected parties to keep authenticators confidential. CC ID 06787	System hardening through configuration management	Preventive
Discourage affected parties from recording authenticators. CC ID 06788	System hardening through configuration management	Preventive
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Where a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) provides telecommunications billing services or increases the upper limits of use, it shall obtain consent from a user of the relevant telecommunications billing services in advance. Article 58(5)]	Acquisition or sale of facilities, technology, and services	Preventive
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{relevant authority} A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Article 53(1)]	Privacy protection for information and data	Preventive
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Preventive
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{make aware} Every provider of information and communications services or similar shall, when he or she revises the policy on managing personal information under paragraph (1), give public notice of the reasons for and details of such revision without delay in a manner specified by Presidential Decree, and take measures to make users aware of the details of the revision easily at any time. Article 27-2(3)]	Privacy protection for information and data	Preventive
Notify the supervisory authority. CC ID 00472 [{relevant authority}{collection}{personal data} A provider of information and communications services shall, whenever it discovers a violation of paragraph (1), immediately report it to the Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Security Agency. Article 49-2(2)]	Privacy protection for information and data	Preventive
Notify the data subject of the collection purpose. CC ID 00095 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Privacy protection for information and data	Preventive
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Preventive
Notify the data subject of changes to personal data use. CC ID 00105 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)]	Privacy protection for information and data	Preventive
Obtain the data subject's consent when the personal data use changes. CC ID 11832 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3)]	Privacy protection for information and data	Preventive
Respond to data access requests in a timely manner. CC ID 00421 [{personal information} A provider of information and communications services or similar shall, in receipt of a request to peruse or furnish matters in accordance with paragraph (2), take necessary measures without delay. Article 30(4)]	Privacy protection for information and data	Preventive
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Privacy protection for information and data	Detective
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Detective
Notify the data subject after personal data is used or disclosed. CC ID 06247	Privacy protection for information and data	Preventive
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Privacy protection for information and data	Preventive
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Preventive
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Preventive
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Preventive
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Preventive
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Detective
Notify data subjects when their personal data is transferred. CC ID 00352 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The fact that the personal information is to be transferred; Article 26(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)]	Privacy protection for information and data	Preventive
Follow the instructions of the data transferrer. CC ID 00334	Privacy protection for information and data	Preventive
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Privacy protection for information and data	Preventive
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Preventive
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Privacy protection for information and data	Corrective
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Corrective
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Privacy protection for information and data	Corrective
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Corrective
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Privacy protection for information and data	Corrective
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Detective
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Detective
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Detective
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Detective
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Detective
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{relevant authority} If parties fail to or are unable to reach an agreement on compensation for damages under paragraph (2), either party may file an application for decision with the Korea Communications Commission. Article 60(3)]	Privacy protection for information and data	Preventive
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Preventive
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Preventive
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Preventive
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Corrective
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Corrective
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Corrective
Award damages based on applicable law. CC ID 00501 [A provider of telecommunications billing services shall negotiate with the claimant to damages for agreement on compensation for the damages under paragraph (1). Article 60(2)]	Privacy protection for information and data	Corrective
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Preventive
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to hide the identity of the sender of advertising information or the source from which advertising is transmitted; Article 50(5)(4) {refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to induce an addressee to reply by deceiving him or her for the purpose of transmitting advertising information for profit. Article 50(5)(5)]	Privacy protection for information and data	Preventive
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically generate an addressee's contact information, such as telephone numbers and email addresses, by combining figures, codes, or letters; Article 50(5)(2)]	Privacy protection for information and data	Preventive
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 [If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Article 50(1)]	Privacy protection for information and data	Preventive
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a person who has directly collected contact details from the addressee in his or her dealings of goods, etc. intends to transmit advertising information for profit on the same kinds of goods, etc. as those he or she manages and has dealt with the addressee within a period prescribed by Presidential Decree; Article 50(1)(1) {refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)]	Privacy protection for information and data	Preventive

Business Processes

115

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Leadership and high level objectives	Preventive
Identify the material topics required to be reported on. CC ID 15654	Leadership and high level objectives	Preventive
Identify requirements that could affect achieving organizational objectives. CC ID 12828	Leadership and high level objectives	Preventive
Identify opportunities that could affect achieving organizational objectives. CC ID 12826	Leadership and high level objectives	Preventive
Prioritize organizational objectives. CC ID 09960	Leadership and high level objectives	Preventive
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400	Leadership and high level objectives	Preventive
Identify threats that could affect achieving organizational objectives. CC ID 12827	Leadership and high level objectives	Preventive
Review the organization's approach to managing information security, as necessary. CC ID 12005	Leadership and high level objectives	Preventive
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760	Leadership and high level objectives	Preventive
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759	Leadership and high level objectives	Preventive
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758	Leadership and high level objectives	Preventive
Attach the required information to each funds transfer. CC ID 16756	Leadership and high level objectives	Preventive
Verify all required information is attached to each funds transfer. CC ID 16755	Leadership and high level objectives	Detective
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738	Leadership and high level objectives	Preventive
Refrain from setting up anonymous financial accounts. CC ID 16721	Leadership and high level objectives	Preventive
Identify and maintain positions in financial accounts. CC ID 16751	Leadership and high level objectives	Preventive
Supplement financial resources, as necessary. CC ID 16685	Leadership and high level objectives	Preventive
Limit the types of assets accepted as collateral. CC ID 16602	Leadership and high level objectives	Preventive
Avoid the use of concentrated holdings of assets. CC ID 16651	Leadership and high level objectives	Preventive
Establish, implement, and maintain a securities trading program. CC ID 16626	Leadership and high level objectives	Preventive
Include investment information in approval requests for investments. CC ID 16590	Leadership and high level objectives	Preventive
Review and approve lending policies. CC ID 16607	Leadership and high level objectives	Preventive
Establish, implement, and maintain margin systems. CC ID 16601	Leadership and high level objectives	Preventive
Establish, implement, and maintain capital adequacy measures. CC ID 16568	Leadership and high level objectives	Preventive
Approve the system security plan. CC ID 14241	Monitoring and measurement	Preventive
Align corrective actions with the level of environmental impact. CC ID 15193	Monitoring and measurement	Preventive
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Technical security	Detective
Comply with the encryption laws of the local country. CC ID 16377	Technical security	Preventive
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Preventive
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Physical and environmental protection	Preventive
Establish, implement, and maintain an education methodology. CC ID 06671	Human Resources management	Preventive
Define the scope for the internal control framework. CC ID 16325	Operational management	Preventive
Review the relevance of information supporting internal controls. CC ID 12420	Operational management	Detective
Assign resources to implement the internal control framework. CC ID 00816	Operational management	Preventive
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Operational management	Preventive
Leverage actionable information to support internal controls. CC ID 12414	Operational management	Preventive
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Preventive
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Preventive
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Preventive
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Preventive
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Preventive
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Preventive
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Preventive
Establish, implement, and maintain a Service Management System. CC ID 13889	Operational management	Preventive
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Preventive
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Preventive
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Corrective
Analyze and respond to security alerts. CC ID 12504 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)]	Operational management	Detective
Manage the creation of products and services, as necessary. CC ID 13497	Operational management	Preventive
Change the authenticator for shared accounts when the group membership changes. CC ID 14249	System hardening through configuration management	Corrective
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain an electronic commerce program. CC ID 08617	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349	Acquisition or sale of facilities, technology, and services	Preventive
Restrict transaction activities, as necessary. CC ID 16334	Acquisition or sale of facilities, technology, and services	Preventive
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683	Acquisition or sale of facilities, technology, and services	Preventive
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682	Acquisition or sale of facilities, technology, and services	Preventive
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671	Acquisition or sale of facilities, technology, and services	Preventive
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108	Acquisition or sale of facilities, technology, and services	Preventive
Protect the integrity of application service transactions. CC ID 12017	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566	Acquisition or sale of facilities, technology, and services	Preventive
Bill and settle electronic commerce transactions. CC ID 08622	Acquisition or sale of facilities, technology, and services	Preventive
Correct billing and settlement errors. CC ID 08623 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)]	Acquisition or sale of facilities, technology, and services	Corrective
Withhold payment and settlement functions, as necessary. CC ID 15460 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)]	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Privacy protection for information and data	Preventive
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Preventive
Approve the privacy plan. CC ID 14700	Privacy protection for information and data	Preventive
Protect private communications in keeping with compliance requirements. CC ID 14334	Privacy protection for information and data	Preventive
Refrain from charging a fee to implement an opt-out request. CC ID 13877 [A person who transmits advertising information for profit by using an electronic transmission medium shall take necessary measures so that an addressee does not incur any cost, such as telephone charges, when the addressee refuses to receive or revokes his or her consent to receive such information, as prescribed by Presidential Decree. Article 50(6)]	Privacy protection for information and data	Preventive
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Privacy protection for information and data	Preventive
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Preventive
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Preventive
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Preventive
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451	Privacy protection for information and data	Preventive
Allow consent requests to be provided in any official languages. CC ID 16530	Privacy protection for information and data	Preventive
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Preventive
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Preventive
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Privacy protection for information and data	Preventive
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Privacy protection for information and data	Preventive
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Preventive
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Preventive
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Preventive
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Preventive
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Preventive
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Preventive
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Preventive
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1]	Privacy protection for information and data	Preventive
Dispose of personal data removal requests, as necessary. CC ID 13512	Privacy protection for information and data	Preventive
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Privacy protection for information and data	Detective
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Preventive
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Preventive
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Privacy protection for information and data	Preventive
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Privacy protection for information and data	Preventive
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Privacy protection for information and data	Preventive
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Privacy protection for information and data	Preventive
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Privacy protection for information and data	Corrective
Include contact information in commercial electronic messages. CC ID 15457 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: The name and contact details of a sender; Article 50(4)(1)]	Privacy protection for information and data	Preventive
Terminate supplier relationships, as necessary. CC ID 13489 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)]	Third Party and supply chain oversight	Corrective
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610	Third Party and supply chain oversight	Preventive
Include disclosure requirements in third party contracts. CC ID 08825	Third Party and supply chain oversight	Preventive
Document supply chain transactions in the supply chain management program. CC ID 08857	Third Party and supply chain oversight	Preventive
Track all chargeable items in Service Level Agreements. CC ID 11616	Third Party and supply chain oversight	Detective
Enforce third party Service Level Agreements, as necessary. CC ID 07098	Third Party and supply chain oversight	Corrective
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Third Party and supply chain oversight	Preventive
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Third Party and supply chain oversight	Preventive
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397	Third Party and supply chain oversight	Preventive
Support third parties in building their capabilities. CC ID 08814	Third Party and supply chain oversight	Preventive
Implement measurable improvement plans with all third parties. CC ID 08815	Third Party and supply chain oversight	Preventive
Post a list of compliant third parties on the organization's website. CC ID 08817	Third Party and supply chain oversight	Preventive
Use third parties that are compliant with the applicable requirements. CC ID 08818	Third Party and supply chain oversight	Preventive
Identify supply sources for secondary materials. CC ID 08822	Third Party and supply chain oversight	Preventive
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891	Third Party and supply chain oversight	Preventive

Communicate

129

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain an external reporting program. CC ID 12876 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1)]	Leadership and high level objectives	Preventive
Provide identifying information about the organization to the responsible party. CC ID 16715	Leadership and high level objectives	Preventive
Prioritize material topics used in reporting. CC ID 15678	Leadership and high level objectives	Preventive
Include time requirements in the external reporting program. CC ID 16566	Leadership and high level objectives	Preventive
Include reporting to governing bodies in the external reporting plan. CC ID 12923 [{relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)]	Leadership and high level objectives	Preventive
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592	Leadership and high level objectives	Preventive
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Leadership and high level objectives	Preventive
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Leadership and high level objectives	Preventive
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191	Leadership and high level objectives	Preventive
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761	Leadership and high level objectives	Preventive
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630	Leadership and high level objectives	Preventive
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565	Leadership and high level objectives	Preventive
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621	Leadership and high level objectives	Preventive
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Leadership and high level objectives	Preventive
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Leadership and high level objectives	Preventive
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Preventive
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Preventive
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Technical security	Corrective
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Technical security	Preventive
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477	Technical security	Preventive
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Technical security	Preventive
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485	Technical security	Preventive
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484	Technical security	Preventive
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Technical security	Corrective
Post floor plans of critical facilities in secure locations. CC ID 16138	Physical and environmental protection	Preventive
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Physical and environmental protection	Preventive
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Preventive
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Preventive
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141	Human Resources management	Preventive
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Human Resources management	Preventive
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Human Resources management	Preventive
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Human Resources management	Preventive
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632	Human Resources management	Preventive
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within speculative activities prohibited by statutes; Article 44-7(1)(6) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that commits an activity prohibited by the National Security Act; Article 44-7(1)(8) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Other information with a content that attempts, aids, or abets to commit a crime. Article 44-7(1)(9) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that arouses fear or apprehension by reaching other persons repeatedly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(3)]	Human Resources management	Preventive
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Preventive
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Preventive
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Preventive
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Operational management	Preventive
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Preventive
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Preventive
Communicate the service management program to interested personnel and affected parties. CC ID 13904	Operational management	Preventive
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927	Operational management	Preventive
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924	Operational management	Preventive
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909	Operational management	Preventive
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908	Operational management	Preventive
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907	Operational management	Preventive
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3)]	Operational management	Preventive
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Preventive
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Preventive
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Preventive
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Preventive
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Preventive
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Corrective
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Preventive
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Corrective
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)]	Operational management	Preventive
Provide customer security advice, as necessary. CC ID 13674 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)]	Operational management	Preventive
Use simple understandable language when providing customer security advice. CC ID 13685	Operational management	Preventive
Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686	Operational management	Preventive
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687	Acquisition or sale of facilities, technology, and services	Preventive
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Privacy protection for information and data	Preventive
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Privacy protection for information and data	Preventive
Update privacy notices, as necessary. CC ID 13474	Privacy protection for information and data	Preventive
Redeliver privacy notices, as necessary. CC ID 14850	Privacy protection for information and data	Preventive
Deliver privacy notices to third parties, as necessary. CC ID 13473	Privacy protection for information and data	Preventive
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Privacy protection for information and data	Preventive
Deliver opt-out notices, as necessary. CC ID 13449	Privacy protection for information and data	Preventive
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Privacy protection for information and data	Preventive
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Privacy protection for information and data	Preventive
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Privacy protection for information and data	Preventive
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Privacy protection for information and data	Preventive
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Privacy protection for information and data	Preventive
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Preventive
Notify data subjects about their privacy rights. CC ID 12989 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5)]	Privacy protection for information and data	Preventive
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Privacy protection for information and data	Preventive
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Preventive
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Preventive
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Preventive
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject, as necessary. CC ID 12625 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services may, if it is difficult to judge whether information violates any right or it is anticipated that there will probably be a dispute between interested parties, take a measure to block access to the information temporarily (hereinafter referred to as "temporary measures"), irrespective of a request for deletion of the information under paragraph (1). In such cases, the period of time for the temporary measure shall not exceed 30 days. Article 44-2(4)]	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Preventive
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Preventive
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)]	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Privacy protection for information and data	Preventive
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Privacy protection for information and data	Preventive
Disseminate private communications when required by law. CC ID 14335	Privacy protection for information and data	Corrective
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Privacy protection for information and data	Preventive
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Preventive
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Preventive
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Corrective
Notify the data controller of any changes in data processors. CC ID 12648	Privacy protection for information and data	Preventive
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 [{stipulated timeframe} The provider, etc. of information and communications services shall notify , until 30 days before expiration of the period under paragraph (2), the users of the matters prescribed by Presidential Decree such as the fact that the personal information will be destroyed, the expiration date of the period and items of personal information subject to destruction, in a manner prescribed by Presidential Decree such as by email. Article 29(3)]	Privacy protection for information and data	Preventive
Disclose de-identified data, as necessary. CC ID 13034	Privacy protection for information and data	Preventive
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Corrective
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to avoid or interfere with an addressee's refusal to receive or revocation of his or her consent to receive advertising information; Article 50(5)(1) {refrain from transmitting} Notwithstanding paragraph (1), where an addressee expresses his or her intention to refuse to receive information or revokes his or her prior consent, no person who intends to transmit advertising information for profit by using an electronic transmission medium shall transmit advertising information for profit. Article 50(2) A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If a user does not want to receive advertising information; Article 50-4(1)(2)]	Privacy protection for information and data	Corrective
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Privacy protection for information and data	Corrective
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Privacy protection for information and data	Corrective
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2)]	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Privacy protection for information and data	Preventive
Capture personal data removal requests. CC ID 13507 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)]	Privacy protection for information and data	Preventive
Notify the data subject of the disclosure purpose. CC ID 15268	Privacy protection for information and data	Preventive
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Preventive
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Preventive
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Privacy protection for information and data	Preventive
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Privacy protection for information and data	Preventive
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Privacy protection for information and data	Preventive
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Preventive
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 [A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)]	Privacy protection for information and data	Preventive
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Privacy protection for information and data	Preventive
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Privacy protection for information and data	Preventive
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Preventive
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Preventive
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Privacy protection for information and data	Corrective
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Privacy protection for information and data	Preventive
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Preventive
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically register telephone numbers or email addresses for the purpose of transmitting advertising information for profit; Article 50(5)(3) {refrain from posting} Notwithstanding paragraph (1), where the operator or the manager of an Internet website explicitly expresses his or her intention to refuse to post a notice or to revoke his or her prior consent, no person who intends to post advertising information for profit shall post advertising information for profit. Article 50-7(2)]	Privacy protection for information and data	Preventive
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Third Party and supply chain oversight	Preventive
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493	Third Party and supply chain oversight	Preventive

Configuration

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Installation of a systematic or technical device for preventing unlawful use of information and communications networks; Article 51(3)(1)]	Monitoring and measurement	Preventive
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Technical security	Preventive
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Technical security	Preventive
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Technical security	Preventive
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Technical security	Preventive
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Technical security	Preventive
Grant access to authorized personnel or systems. CC ID 12186	Technical security	Preventive
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)]	Technical security	Preventive
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Technical security	Detective
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547	Technical security	Preventive
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Technical security	Preventive
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Technical security	Preventive
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Technical security	Preventive
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Technical security	Preventive
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Technical security	Preventive
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Technical security	Preventive
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Technical security	Preventive
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Technical security	Preventive
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Technical security	Preventive
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Technical security	Preventive
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Technical security	Preventive
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Technical security	Preventive
Synchronize and secure all router configuration files. CC ID 01291	Technical security	Preventive
Synchronize and secure all firewall configuration files. CC ID 11851	Technical security	Preventive
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Technical security	Preventive
Configure network access and control points to organizational standards. CC ID 12442	Technical security	Detective
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823	Technical security	Preventive
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Technical security	Preventive
Install security and protection software, as necessary. CC ID 00575 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5)]	Technical security	Preventive
Lock antivirus configurations. CC ID 10047	Technical security	Preventive
Install doors so that exposed hinges are on the secured side. CC ID 06687	Physical and environmental protection	Preventive
Install emergency doors to permit egress only. CC ID 06688	Physical and environmental protection	Preventive
Install contact alarms on doors, as necessary. CC ID 06710	Physical and environmental protection	Preventive
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Physical and environmental protection	Preventive
Install contact alarms on openable windows, as necessary. CC ID 06690	Physical and environmental protection	Preventive
Install glass break alarms on windows, as necessary. CC ID 06691	Physical and environmental protection	Preventive
Configure video cameras to cover all physical entry points. CC ID 06302	Physical and environmental protection	Preventive
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Physical and environmental protection	Preventive
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Physical and environmental protection	Preventive
Automate threat assessments, as necessary. CC ID 06877	Operational management	Preventive
Automate vulnerability management, as necessary. CC ID 11730	Operational management	Preventive
Configure authenticators to comply with organizational standards. CC ID 06412	System hardening through configuration management	Preventive
Configure the system to require new users to change their authenticator on first use. CC ID 05268	System hardening through configuration management	Preventive
Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519	System hardening through configuration management	Preventive
Configure the system to prevent unencrypted authenticator use. CC ID 04457	System hardening through configuration management	Preventive
Disable store passwords using reversible encryption. CC ID 01708	System hardening through configuration management	Preventive
Configure the system to encrypt authenticators. CC ID 06735	System hardening through configuration management	Preventive
Configure the system to mask authenticators. CC ID 02037	System hardening through configuration management	Preventive
Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992	System hardening through configuration management	Preventive
Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783	System hardening through configuration management	Preventive
Disable machine account password changes. CC ID 01737	System hardening through configuration management	Preventive
Configure the "Disable Remember Password" setting. CC ID 05270	System hardening through configuration management	Preventive
Configure the "Minimum password age" to organizational standards. CC ID 01703	System hardening through configuration management	Preventive
Configure the LILO/GRUB password. CC ID 01576	System hardening through configuration management	Preventive
Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481	System hardening through configuration management	Preventive
Change the default password to Apple's Keychain. CC ID 04482	System hardening through configuration management	Preventive
Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483	System hardening through configuration management	Preventive
Configure the Syskey Encryption Key and associated password. CC ID 05978	System hardening through configuration management	Preventive
Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505	System hardening through configuration management	Preventive
Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534	System hardening through configuration management	Preventive
Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267	System hardening through configuration management	Preventive
Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269	System hardening through configuration management	Preventive
Configure the "Send LanMan compatible password" setting. CC ID 05271	System hardening through configuration management	Preventive
Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993	System hardening through configuration management	Preventive
Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054	System hardening through configuration management	Preventive
Set the default folder for BitLocker recovery passwords correctly. CC ID 06055	System hardening through configuration management	Preventive
Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866	System hardening through configuration management	Preventive
Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185	System hardening through configuration management	Preventive
Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187	System hardening through configuration management	Preventive
Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296	System hardening through configuration management	Preventive
Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355	System hardening through configuration management	Preventive
Encrypt electronic commerce transactions and messages. CC ID 08621	Acquisition or sale of facilities, technology, and services	Preventive
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Preventive
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Preventive
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Preventive
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Preventive

Data and Information Management

512

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Include valuation models in the margin system. CC ID 16663	Leadership and high level objectives	Preventive
Include procedures for collecting price data in the margin system. CC ID 16662	Leadership and high level objectives	Preventive
Include reliable sources for price data in the margin system. CC ID 16661	Leadership and high level objectives	Preventive
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640	Leadership and high level objectives	Preventive
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650	Leadership and high level objectives	Preventive
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639	Leadership and high level objectives	Preventive
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645	Leadership and high level objectives	Preventive
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638	Leadership and high level objectives	Preventive
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637	Leadership and high level objectives	Preventive
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636	Leadership and high level objectives	Preventive
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635	Leadership and high level objectives	Preventive
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633	Leadership and high level objectives	Preventive
Include account information In the recordkeeping system for securities transactions. CC ID 16632	Leadership and high level objectives	Preventive
Enforce access restrictions for restricted data. CC ID 01921 [A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)]	Technical security	Preventive
Include the date and time that access was reviewed in the system record. CC ID 16416	Technical security	Preventive
Protect data stored at external locations. CC ID 16333	Technical security	Preventive
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Technical security	Preventive
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Technical security	Preventive
Constrain the information flow of restricted data or restricted information. CC ID 06763 [The Government may have providers or users of information and communications services to take necessary measures to prevent outflow " class="term_primary-noun">abroad of any important pan style="background-color:#F0BBBC;" class="term_primary-noun">information about industry, economy, science, technology, etc. of this county through information and communications networks. The Government may have providers or users of information and communications services to take necessary measures to prevent outflow abroad of any important information about industry, economy, science, technology, etc. of this county through information and communications networks. Article 51(1)]	Technical security	Preventive
Quarantine data that fails security tests. CC ID 16500	Technical security	Corrective
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453	Technical security	Preventive
Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725	Technical security	Preventive
Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310	Technical security	Preventive
Implement the documented cryptographic module security functions. CC ID 06755	Technical security	Preventive
Establish, implement, and maintain digital signatures. CC ID 13828	Technical security	Preventive
Include the expiration date in digital signatures. CC ID 13833	Technical security	Preventive
Include audience restrictions in digital signatures. CC ID 13834	Technical security	Preventive
Include the subject in digital signatures. CC ID 13832	Technical security	Preventive
Include the issuer in digital signatures. CC ID 13831	Technical security	Preventive
Include identifiers in the digital signature. CC ID 13829	Technical security	Preventive
Encrypt in scope data or in scope information, as necessary. CC ID 04824	Technical security	Preventive
Digitally sign records and data, as necessary. CC ID 16507	Technical security	Preventive
Decrypt restricted data for the minimum time required. CC ID 12308	Technical security	Preventive
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Technical security	Preventive
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575	Technical security	Preventive
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Technical security	Preventive
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Technical security	Preventive
Generate strong cryptographic keys. CC ID 01299	Technical security	Preventive
Use approved random number generators for creating cryptographic keys. CC ID 06574	Technical security	Preventive
Disseminate and communicate cryptographic keys securely. CC ID 01300	Technical security	Preventive
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Technical security	Preventive
Store cryptographic keys securely. CC ID 01298	Technical security	Preventive
Restrict access to cryptographic keys. CC ID 01297	Technical security	Preventive
Store cryptographic keys in encrypted format. CC ID 06084	Technical security	Preventive
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Technical security	Preventive
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Technical security	Preventive
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Technical security	Preventive
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Technical security	Preventive
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Technical security	Corrective
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Technical security	Corrective
Archive outdated cryptographic keys. CC ID 06884	Technical security	Preventive
Archive revoked cryptographic keys. CC ID 11819	Technical security	Preventive
Manage the digital signature cryptographic key pair. CC ID 06576	Technical security	Preventive
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Human Resources management	Corrective
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Preventive
Identify the sender in all electronic messages. CC ID 13996	Operational management	Preventive
Share incident information with interested personnel and affected parties. CC ID 01212 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Operational management	Corrective
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Preventive
Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5) {relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4) {relevant authority} A person falling under any of the following subparagraphs shall, where he or she discovers an intrusion, immediately report it to the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency. In such cases, a notice given in accordance with Article 13 (1) of the Act on the Protection of Information and Communications Infrastructure shall be deemed a report under the foregoing sentence: Article 48-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)]	Operational management	Corrective
Ensure the root account is the first entry in password files. CC ID 16323	System hardening through configuration management	Detective
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Records management	Preventive
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Preventive
Include required information in electronic commerce transactions and messages. CC ID 15318	Acquisition or sale of facilities, technology, and services	Preventive
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Date and time telecommunications billing services are used; Article 58(1)(1) When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Amount purchased/used through telecommunications billing services and details thereof; Article 58(1)(3) A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)]	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Preventive
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Privacy protection for information and data	Preventive
Deliver notices to the intended parties. CC ID 06240	Privacy protection for information and data	Preventive
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Privacy protection for information and data	Preventive
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Preventive
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Preventive
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Preventive
Disclose educational data, as necessary. CC ID 00223	Privacy protection for information and data	Preventive
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Preventive
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Preventive
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Preventive
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Preventive
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Preventive
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Preventive
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Preventive
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Preventive
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Preventive
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Preventive
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Preventive
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Privacy protection for information and data	Preventive
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: Items of the personal information transferred; Article 63(3)(1)]	Privacy protection for information and data	Preventive
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Privacy protection for information and data	Preventive
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The methods and procedures available for revocation of consent, where a user does not want his or her personal information transferred to a third party. Article 26(1)(3) Every user may, at any time, revoke his or her consent given to a provider of information and communications services or similar to allow the provider to collect, use, or furnish his or her personal information. Article 30(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3) {not necessary}{do not consent}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Fact that users may give no consent to the permission on access authority. Article 22-2(1)(2)(c)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Privacy protection for information and data	Preventive
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Privacy protection for information and data	Preventive
Refrain from obtaining consent through deception. CC ID 13556	Privacy protection for information and data	Preventive
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)]	Privacy protection for information and data	Preventive
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [Where an addressee gives prior consent under paragraph (1) or expresses his or her intention to refuse to receive or revoke his or her consent to receive advertising information under paragraph (2), a person who intends to transmit advertising information for profit by using an electronic transmission medium shall inform the relevant addressee of the outcomes of measures taken in relation to consent to receive, refusal to receive, or revocation of consent to receive advertising information, as prescribed by Presidential Decree. Article 50(7)]	Privacy protection for information and data	Preventive
Cooperate with Data Protection Authorities. CC ID 06870	Privacy protection for information and data	Preventive
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Preventive
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Preventive
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Preventive
Dispose of media and restricted data in a timely manner. CC ID 00125 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1)]	Privacy protection for information and data	Preventive
Provide individuals with information about where their personal data was processed. CC ID 00415	Privacy protection for information and data	Preventive
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)]	Privacy protection for information and data	Preventive
Provide individuals with information about disclosure of their personal data. CC ID 00417	Privacy protection for information and data	Preventive
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Preventive
Provide assistance to requesters in preparing data access requests. CC ID 13588	Privacy protection for information and data	Preventive
Delay responding to data access requests, as necessary. CC ID 15504	Privacy protection for information and data	Preventive
Expedite the processing of data access requests, as necessary. CC ID 15496	Privacy protection for information and data	Preventive
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Privacy protection for information and data	Preventive
Document the outcome of the personal data access request review procedure. CC ID 00455	Privacy protection for information and data	Preventive
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Privacy protection for information and data	Preventive
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Preventive
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Preventive
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Preventive
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Preventive
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Preventive
Process personal data after the data subject has granted explicit consent. CC ID 00180	Privacy protection for information and data	Preventive
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Preventive
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Preventive
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Preventive
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Preventive
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185	Privacy protection for information and data	Preventive
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Preventive
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Preventive
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Preventive
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a telemarketer under the Act on Door-to-Door Sales, Etc. informs prospective customers of the collection source of their personal information by voice, and solicits them to buy products or services by means of telephone call. Article 50(1)(2)]	Privacy protection for information and data	Preventive
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Preventive
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Privacy protection for information and data	Preventive
Process personal data for debt collection or benefit payments. CC ID 00190	Privacy protection for information and data	Preventive
Process personal data in order to advance the public interest. CC ID 00191	Privacy protection for information and data	Preventive
Process personal data for surveys, archives, or scientific research. CC ID 00192	Privacy protection for information and data	Preventive
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Preventive
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Preventive
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Preventive
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Preventive
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Preventive
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Preventive
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)]	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Preventive
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Privacy protection for information and data	Preventive
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Preventive
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Privacy protection for information and data	Preventive
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)]	Privacy protection for information and data	Preventive
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Privacy protection for information and data	Preventive
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Privacy protection for information and data	Preventive
Process personal data absent consent in order to perform a contract. CC ID 13586	Privacy protection for information and data	Preventive
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Preventive
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Preventive
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Preventive
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Privacy protection for information and data	Preventive
Process personal data absent consent when it is needed by law. CC ID 13577 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Preventive
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Privacy protection for information and data	Preventive
Process personal data absent consent when it is from publicly available information. CC ID 13576	Privacy protection for information and data	Preventive
Process personal data absent consent to create a credit report. CC ID 15288	Privacy protection for information and data	Preventive
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Privacy protection for information and data	Preventive
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Privacy protection for information and data	Preventive
Process personal data absent consent when produced for business purposes. CC ID 13563	Privacy protection for information and data	Preventive
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Preventive
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Privacy protection for information and data	Preventive
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Preventive
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Privacy protection for information and data	Preventive
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Privacy protection for information and data	Preventive
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Privacy protection for information and data	Preventive
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Privacy protection for information and data	Detective
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Privacy protection for information and data	Preventive
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Privacy protection for information and data	Preventive
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Privacy protection for information and data	Preventive
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Privacy protection for information and data	Preventive
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Privacy protection for information and data	Preventive
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Privacy protection for information and data	Preventive
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Privacy protection for information and data	Preventive
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Privacy protection for information and data	Preventive
Disclose personal data absent consent to create a credit report. CC ID 15297	Privacy protection for information and data	Preventive
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Privacy protection for information and data	Preventive
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Privacy protection for information and data	Preventive
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Privacy protection for information and data	Preventive
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Privacy protection for information and data	Preventive
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Privacy protection for information and data	Preventive
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Privacy protection for information and data	Preventive
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Privacy protection for information and data	Preventive
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Privacy protection for information and data	Preventive
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Privacy protection for information and data	Preventive
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Privacy protection for information and data	Preventive
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Privacy protection for information and data	Preventive
Disclose restricted data absent consent for public economic interests. CC ID 00148	Privacy protection for information and data	Preventive
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Privacy protection for information and data	Preventive
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Privacy protection for information and data	Preventive
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Privacy protection for information and data	Preventive
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Privacy protection for information and data	Preventive
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Privacy protection for information and data	Preventive
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Privacy protection for information and data	Preventive
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Privacy protection for information and data	Preventive
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Privacy protection for information and data	Preventive
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Privacy protection for information and data	Preventive
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Privacy protection for information and data	Preventive
Limit the redisclosure and reuse of restricted data. CC ID 00168	Privacy protection for information and data	Preventive
Refrain from redisclosing or reusing restricted data. CC ID 00169 [A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)]	Privacy protection for information and data	Preventive
Redisclose restricted data when the data subject consents. CC ID 00171	Privacy protection for information and data	Preventive
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Privacy protection for information and data	Preventive
Redisclose restricted data in order to protect public revenue. CC ID 00173	Privacy protection for information and data	Preventive
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Privacy protection for information and data	Preventive
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Privacy protection for information and data	Preventive
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Privacy protection for information and data	Preventive
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Privacy protection for information and data	Preventive
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) {stipulated timeframe} Notwithstanding paragraph (1), a person who intends to transmit advertising information for profit by using an electronic transmission medium during the time between 9:00 pm and 8:00 am of the following day shall obtain express prior consent from the addressee of such information: Provided, That in cases of media prescribed by Presidential Decree, the forgoing shall not apply thereto. Article 50(3)]	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)]	Privacy protection for information and data	Preventive
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Preventive
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Preventive
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Preventive
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Preventive
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Preventive
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Preventive
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Preventive
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Preventive
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Privacy protection for information and data	Preventive
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Privacy protection for information and data	Preventive
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Preventive
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Privacy protection for information and data	Preventive
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Preventive
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Preventive
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Preventive
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Preventive
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Preventive
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Preventive
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Preventive
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Preventive
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Preventive
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Preventive
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Detective
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Preventive
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Preventive
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Preventive
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Preventive
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Preventive
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Preventive
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Preventive
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken rm_primary-noun">measures for imary-noun">refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken measures for refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. Article 50-4(3)]	Privacy protection for information and data	Preventive
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Preventive
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Privacy protection for information and data	Preventive
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Preventive
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Preventive
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Preventive
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Preventive
Provide data at a cost that is not excessive. CC ID 00430	Privacy protection for information and data	Preventive
Provide records or data in a reasonable manner. CC ID 00431	Privacy protection for information and data	Preventive
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Preventive
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Preventive
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Preventive
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Preventive
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Privacy protection for information and data	Preventive
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1) {refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1)]	Privacy protection for information and data	Preventive
Use personal data for specified purposes. CC ID 11831	Privacy protection for information and data	Preventive
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)]	Privacy protection for information and data	Preventive
Provide explicit consent that is clear and unambiguous. CC ID 00181	Privacy protection for information and data	Preventive
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Privacy protection for information and data	Preventive
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Privacy protection for information and data	Preventive
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Privacy protection for information and data	Preventive
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Privacy protection for information and data	Preventive
Include an individual's name in the personal data definition. CC ID 04710	Privacy protection for information and data	Preventive
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Privacy protection for information and data	Preventive
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Privacy protection for information and data	Preventive
Include an individual's signature in the personal data definition. CC ID 04711	Privacy protection for information and data	Preventive
Include an individual's date of birth in the personal data definition. CC ID 04770	Privacy protection for information and data	Preventive
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Privacy protection for information and data	Preventive
Include an individual's biometric data in the personal data definition. CC ID 04698	Privacy protection for information and data	Preventive
Include an individual's photographic image in the personal data definition. CC ID 04779	Privacy protection for information and data	Preventive
Include an individual's fingerprints in the personal data definition. CC ID 04689	Privacy protection for information and data	Preventive
Include an individual's address in the personal data definition. CC ID 04687	Privacy protection for information and data	Preventive
Include an individual's telephone number in the personal data definition. CC ID 04688	Privacy protection for information and data	Preventive
Include an individual's fax number in the personal data definition. CC ID 07120	Privacy protection for information and data	Preventive
Include an individual's financial account number in the personal data definition. CC ID 04692	Privacy protection for information and data	Preventive
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Privacy protection for information and data	Preventive
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Privacy protection for information and data	Preventive
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Privacy protection for information and data	Preventive
Include an individual's passport number in the personal data definition. CC ID 04713	Privacy protection for information and data	Preventive
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Privacy protection for information and data	Preventive
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Privacy protection for information and data	Preventive
Include an individual's e-mail address in the personal data definition. CC ID 04696	Privacy protection for information and data	Preventive
Include electronic signatures in the personal data definition. CC ID 04697	Privacy protection for information and data	Preventive
Include an individual's payment card information in the personal data definition. CC ID 04751	Privacy protection for information and data	Preventive
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Privacy protection for information and data	Preventive
Include an individual's payment card service code in the personal data definition. CC ID 04753	Privacy protection for information and data	Preventive
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Privacy protection for information and data	Preventive
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Privacy protection for information and data	Preventive
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Privacy protection for information and data	Preventive
Include an individual's medical history in the personal data definition. CC ID 04701	Privacy protection for information and data	Preventive
Include an individual's medical treatment in the personal data definition. CC ID 04702	Privacy protection for information and data	Preventive
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Privacy protection for information and data	Preventive
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Privacy protection for information and data	Preventive
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Privacy protection for information and data	Preventive
Include an individual's health insurance information in the personal data definition. CC ID 04705	Privacy protection for information and data	Preventive
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Privacy protection for information and data	Preventive
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Privacy protection for information and data	Preventive
Include an individual's education information in the personal data definition. CC ID 04714	Privacy protection for information and data	Preventive
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Privacy protection for information and data	Preventive
Include an individual's employment information in the personal data definition. CC ID 04715	Privacy protection for information and data	Preventive
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Privacy protection for information and data	Preventive
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Privacy protection for information and data	Preventive
Include an individual's employment history in the personal data definition. CC ID 04716	Privacy protection for information and data	Preventive
Include an individual's place of employment in the personal data definition. CC ID 04765	Privacy protection for information and data	Preventive
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Privacy protection for information and data	Preventive
Include an individual's property information in the personal data definition. CC ID 04780	Privacy protection for information and data	Preventive
Include an individual's property title in the personal data definition. CC ID 04781	Privacy protection for information and data	Preventive
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Privacy protection for information and data	Preventive
Include hardware asset identification information in the personal data definition. CC ID 07123	Privacy protection for information and data	Preventive
Include MAC addresses in the personal data definition. CC ID 04778	Privacy protection for information and data	Preventive
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Privacy protection for information and data	Preventive
Include asset serial numbers in the personal data definition. CC ID 07124	Privacy protection for information and data	Preventive
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Privacy protection for information and data	Preventive
Define specially restricted data. CC ID 00037	Privacy protection for information and data	Preventive
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Privacy protection for information and data	Preventive
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Privacy protection for information and data	Preventive
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Privacy protection for information and data	Preventive
Implement a nondiscrimination principle. CC ID 00081	Privacy protection for information and data	Preventive
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Privacy protection for information and data	Preventive
Preserve each individual's right to human dignity. CC ID 00082	Privacy protection for information and data	Preventive
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Privacy protection for information and data	Preventive
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Privacy protection for information and data	Preventive
Manage health data collection. CC ID 00050	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Privacy protection for information and data	Preventive
Collect Individually Identifiable Health Information for research. CC ID 00054	Privacy protection for information and data	Preventive
Remove personal data before disclosing health data. CC ID 00055	Privacy protection for information and data	Preventive
Give special attention to collecting children's data. CC ID 00038	Privacy protection for information and data	Preventive
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)]	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Preventive
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Preventive
Collect personal data directly from the data subject. CC ID 00011	Privacy protection for information and data	Preventive
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Privacy protection for information and data	Preventive
Provide unlinkability for users and resources. CC ID 04550	Privacy protection for information and data	Preventive
Collect restricted data in a fair and lawful manner. CC ID 00010 [{refrain from collecting} No one shall collect another person's information through an information and communications network by an act of deceit, nor shall entice another person by an act of deceit to furnish information. Article 49-2(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)]	Privacy protection for information and data	Preventive
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Privacy protection for information and data	Preventive
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)]	Privacy protection for information and data	Preventive
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Privacy protection for information and data	Preventive
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Privacy protection for information and data	Preventive
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Privacy protection for information and data	Preventive
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Privacy protection for information and data	Preventive
Collect personal data absent consent for handling insurance claims. CC ID 13543	Privacy protection for information and data	Preventive
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Privacy protection for information and data	Preventive
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Privacy protection for information and data	Preventive
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Privacy protection for information and data	Preventive
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Privacy protection for information and data	Preventive
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Privacy protection for information and data	Preventive
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)]	Privacy protection for information and data	Preventive
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Privacy protection for information and data	Preventive
Collect restricted data absent consent from publicly available information. CC ID 00019	Privacy protection for information and data	Preventive
Collect restricted data absent consent when needed by law. CC ID 00020 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)]	Privacy protection for information and data	Preventive
Collect personal data absent consent to create a credit report. CC ID 15287	Privacy protection for information and data	Preventive
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Privacy protection for information and data	Preventive
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Privacy protection for information and data	Preventive
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be necessary} Where a provider of information and communications services collects personal information of a user, he or she shall only collect personal information within the minimum scope necessary to provide information and communications services. Article 23(2)]	Privacy protection for information and data	Preventive
Collect restricted data in a proper information framework. CC ID 00009	Privacy protection for information and data	Preventive
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027	Privacy protection for information and data	Preventive
Collect restricted data when required by law. CC ID 00031 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2)]	Privacy protection for information and data	Preventive
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Privacy protection for information and data	Preventive
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Privacy protection for information and data	Preventive
Collect restricted data for legal purposes. CC ID 00036	Privacy protection for information and data	Preventive
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Preventive
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Preventive
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Preventive
Limit data leakage. CC ID 00356 [{refrain from exposing} A provider, etc. of information and communications services shall ensure that users' personal information such as resident registration numbers, account numbers and credit cards information is not exposed to the public through information and communications networks. Article 32-3(1) The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Measures for preventing leakage of important information that providers of information and communications services have learned while managing the information. Article 51(3)(3) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Detective
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Detective
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Detective
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Detective
Include text about data ownership in the data handling policy. CC ID 15720	Privacy protection for information and data	Preventive
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126	Privacy protection for information and data	Preventive
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Privacy protection for information and data	Preventive
Store de-identifying code and re-identifying code separately. CC ID 16535	Privacy protection for information and data	Preventive
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Privacy protection for information and data	Preventive
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Preventive
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Preventive
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Preventive
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Preventive
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Preventive
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Preventive
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Preventive
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Preventive
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Preventive
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Preventive
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Preventive
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Preventive
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Preventive
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Preventive
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Preventive
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Preventive
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Preventive
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Preventive
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Preventive
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Preventive
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Preventive
Obtain consent from an individual prior to transferring personal data. CC ID 06948 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) {abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)]	Privacy protection for information and data	Preventive
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [A provider of information and communications services or similar shall, when it transfers personal information to abroad with consent under paragraph (2), take protective measures, as prescribed by Presidential Decree. Article 63(4)]	Privacy protection for information and data	Preventive
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Privacy protection for information and data	Preventive
Prohibit the transfer of personal data when security is inadequate. CC ID 00345	Privacy protection for information and data	Preventive
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Privacy protection for information and data	Preventive
Refrain from transferring past the first transfer. CC ID 00347	Privacy protection for information and data	Preventive
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Privacy protection for information and data	Preventive
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Privacy protection for information and data	Preventive
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Privacy protection for information and data	Preventive
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Privacy protection for information and data	Preventive
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Privacy protection for information and data	Preventive
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Privacy protection for information and data	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Privacy protection for information and data	Preventive
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 [{abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2)]	Privacy protection for information and data	Preventive
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Privacy protection for information and data	Preventive
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Privacy protection for information and data	Preventive
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Privacy protection for information and data	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Privacy protection for information and data	Preventive
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Privacy protection for information and data	Preventive
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Privacy protection for information and data	Preventive
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Privacy protection for information and data	Preventive
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Privacy protection for information and data	Preventive
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Privacy protection for information and data	Preventive
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Privacy protection for information and data	Preventive
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Privacy protection for information and data	Preventive
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Privacy protection for information and data	Preventive
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Privacy protection for information and data	Preventive
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Privacy protection for information and data	Preventive
Obtain consent prior to downloading software to an individual's computer. CC ID 06951 [A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Privacy protection for information and data	Preventive
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Privacy protection for information and data	Preventive
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [The operator or the manager of the Internet website may take measures, such as deletion of advertising information for profit posted, in violation of paragraph (1) or (2). Article 50-7(3) A provider of information and communications services may, if it finds that information circulated through the information and communications network operated and managed by him or her intrudes on someone's privacy, defames someone, or violates someone's rights, take temporary measures at its discretion. Article 44-3(1)]	Privacy protection for information and data	Preventive
Implement procedures to file privacy rights violation complaints. CC ID 00476 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Privacy protection for information and data	Corrective
Change or destroy any personal data that is incorrect. CC ID 00462 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Corrective
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Preventive
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Corrective
Notify individuals of their right to challenge personal data. CC ID 00457 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)]	Privacy protection for information and data	Preventive
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Preventive
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Preventive
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Preventive
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Privacy protection for information and data	Corrective
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Privacy protection for information and data	Corrective
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: Matters concerning measures and methods by which an addressee can easily express his or her intention to refuse to receive information or to revoke his or her consent to receive information. Article 50(4)(2)]	Privacy protection for information and data	Preventive
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Third Party and supply chain oversight	Detective
Make the conflict minerals policy Publicly Available Information. CC ID 08949	Third Party and supply chain oversight	Preventive

Establish Roles

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Preventive
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470	Technical security	Preventive
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Technical security	Preventive
Define and assign roles and responsibilities for malicious code protection. CC ID 15474	Technical security	Preventive
Employ security guards to provide physical security, as necessary. CC ID 06653	Physical and environmental protection	Preventive
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Preventive
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1) A provider of information and communications services may establish and operate an association of chief information protection officers comprised of chief information protection officers prescribed in paragraph (1) in order to jointly perform prevention/response in cases of intrusion, sharing necessary information and other joint programs prescribed by Presidential Decree. Article 45-3(4)]	Human Resources management	Preventive
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree shall designate a person responsible for protection of juvenile to keep juvenile from unwholesome information to juvenile in the information and communication network. Article 42-3(1) The person responsible for protection of juvenile shall be chosen from among executive officers of the relevant business operator or the persons in a position equivalent to the head of a department responsible for business affairs related to protection of juvenile. Article 42-3(2)]	Human Resources management	Preventive
Identify and define all critical roles. CC ID 00777	Human Resources management	Preventive
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Every provider of information and communications services or similar shall designate a person responsible for protection of personal information so that he or she protects the personal information of users and process complaints from users in connection with the personal information: Provided, That a provider of information and communications services or similar may, if he or she falls under the criteria prescribed by Presidential Decree for the number of employees, number of users, and other related matters, omit such designation. Article 27(1) If a provider of information and communications services or similar does not designate a person responsible for protection of personal information under the proviso to paragraph (1), the business owner or representative of the provider or similar shall be the person responsible for protection of personal information. Article 27(2)]	Human Resources management	Preventive
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Preventive
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Preventive
Assign security clearance procedures to qualified personnel. CC ID 06812	Human Resources management	Preventive
Assign personnel screening procedures to qualified personnel. CC ID 11699	Human Resources management	Preventive
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Operational management	Preventive
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Operational management	Preventive
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Preventive
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)]	Records management	Preventive
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Preventive
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Preventive
Process restricted data lawfully and carefully. CC ID 00086 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)]	Privacy protection for information and data	Preventive
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Third Party and supply chain oversight	Preventive

Establish/Maintain Documentation

974

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Define the thresholds for reporting in the external reporting program. CC ID 15679	Leadership and high level objectives	Preventive
Include information about the organizational culture in the external reporting program. CC ID 15610	Leadership and high level objectives	Preventive
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594	Leadership and high level objectives	Preventive
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595	Leadership and high level objectives	Preventive
Include the information that was omitted in the confidential treatment application. CC ID 16593	Leadership and high level objectives	Preventive
Establish, implement, and maintain organizational objectives. CC ID 09959 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A business plan. Article 53(1)(4)]	Leadership and high level objectives	Preventive
Establish, implement, and maintain a value generation model. CC ID 15591	Leadership and high level objectives	Preventive
Include value distribution in the value generation model. CC ID 15603	Leadership and high level objectives	Preventive
Include value retention in the value generation model. CC ID 15600	Leadership and high level objectives	Preventive
Include value generation procedures in the value generation model. CC ID 15599	Leadership and high level objectives	Preventive
Establish, implement, and maintain value generation objectives. CC ID 15583	Leadership and high level objectives	Preventive
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Leadership and high level objectives	Preventive
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783	Leadership and high level objectives	Preventive
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839	Leadership and high level objectives	Preventive
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838	Leadership and high level objectives	Preventive
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808	Leadership and high level objectives	Preventive
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807	Leadership and high level objectives	Preventive
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Leadership and high level objectives	Preventive
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Leadership and high level objectives	Preventive
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Leadership and high level objectives	Preventive
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398	Leadership and high level objectives	Preventive
Establish, implement, and maintain a financial management program. CC ID 13228 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Financial soundness; Article 53(1)(1)]	Leadership and high level objectives	Preventive
Establish, implement, and maintain funds transfer procedures. CC ID 16754	Leadership and high level objectives	Preventive
Include communication protocols in the financial management program. CC ID 16763	Leadership and high level objectives	Preventive
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717	Leadership and high level objectives	Preventive
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725	Leadership and high level objectives	Preventive
Establish, implement, and maintain financial resource management procedures. CC ID 16642	Leadership and high level objectives	Preventive
Document the rationale for the amount of financial resources being held. CC ID 16688	Leadership and high level objectives	Preventive
Establish, implement, and maintain collateral procedures. CC ID 16653	Leadership and high level objectives	Preventive
Include the use of appropriate models in the collateral procedures. CC ID 16687	Leadership and high level objectives	Preventive
Define the collateral requirements in the collateral procedures. CC ID 16686	Leadership and high level objectives	Preventive
Identify and document the financial resources available for use. CC ID 16643	Leadership and high level objectives	Preventive
Establish, implement, and maintain credit loss procedures. CC ID 16683	Leadership and high level objectives	Preventive
Include the allocation of credit losses in the credit loss procedures. CC ID 16684	Leadership and high level objectives	Preventive
Include fairness and equitability standards in the securities trading program. CC ID 16690	Leadership and high level objectives	Preventive
Include roles and responsibilities in the securities trading program. CC ID 16689	Leadership and high level objectives	Preventive
Establish, implement, and maintain a capital restoration plan. CC ID 16613	Leadership and high level objectives	Preventive
Include performance guarantees in the capital restoration plan. CC ID 16616	Leadership and high level objectives	Preventive
Include corrective actions taken in the capital restoration plan. CC ID 16612	Leadership and high level objectives	Preventive
Include required information in the capital restoration plan. CC ID 16609	Leadership and high level objectives	Preventive
Establish, implement, and maintain valuation procedures. CC ID 16634	Leadership and high level objectives	Preventive
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576	Leadership and high level objectives	Preventive
Establish, implement, and maintain lending policies. CC ID 16608	Leadership and high level objectives	Preventive
Include the requirements for risk assessments in the lending policy. CC ID 16730	Leadership and high level objectives	Preventive
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728	Leadership and high level objectives	Preventive
Include the requirements for feasibility studies in the lending policy. CC ID 16726	Leadership and high level objectives	Preventive
Include pricing structures in the lending policy. CC ID 16724	Leadership and high level objectives	Preventive
Include monitoring requirements in the lending policy. CC ID 16710	Leadership and high level objectives	Preventive
Include loan origination procedures in the lending policy. CC ID 16709	Leadership and high level objectives	Preventive
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708	Leadership and high level objectives	Preventive
Include loan requirements in the lending policy. CC ID 16706	Leadership and high level objectives	Preventive
Include appraisals and evaluations in the lending policy. CC ID 16705	Leadership and high level objectives	Preventive
Include terms and conditions in the lending policy. CC ID 16695	Leadership and high level objectives	Preventive
Include the scope and distribution of loans in the lending policy. CC ID 16693	Leadership and high level objectives	Preventive
Include geographic areas in the lending policy. CC ID 16691	Leadership and high level objectives	Preventive
Include underwriting guidelines in the lending policy. CC ID 16619	Leadership and high level objectives	Preventive
Include credit review in the underwriting guidelines. CC ID 16765	Leadership and high level objectives	Preventive
Include loan-to-value ratio limits in the lending policy. CC ID 16618	Leadership and high level objectives	Preventive
Include documentation requirements in the lending policy. CC ID 16617	Leadership and high level objectives	Preventive
Include the purpose of the loan in the loan documentation. CC ID 16747	Leadership and high level objectives	Preventive
Include the source of repayment in the loan documentation. CC ID 16746	Leadership and high level objectives	Preventive
Include approval requirements in the lending policy. CC ID 16615	Leadership and high level objectives	Preventive
Include reporting requirements in the lending policy. CC ID 16614	Leadership and high level objectives	Preventive
Include loan portfolio diversification standards in the lending policy. CC ID 16611	Leadership and high level objectives	Preventive
Include loan administration procedures in the lending policy. CC ID 16610	Leadership and high level objectives	Preventive
Include loan participation agreements in the loan administration procedures. CC ID 16745	Leadership and high level objectives	Preventive
Include termination procedures in the loan participation agreement. CC ID 16753	Leadership and high level objectives	Preventive
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752	Leadership and high level objectives	Preventive
Include servicing agreements in the loan administration procedures. CC ID 16744	Leadership and high level objectives	Preventive
Include claims processing in the loan administration procedures. CC ID 16742	Leadership and high level objectives	Preventive
Include forbearance management in the loan administration procedures. CC ID 16741	Leadership and high level objectives	Preventive
Include foreclosure management in the loan administration procedures. CC ID 16740	Leadership and high level objectives	Preventive
Include delinquency management in the loan administration procedures. CC ID 16739	Leadership and high level objectives	Preventive
Include the requirements for financial statements in the loan administration procedures. CC ID 16735	Leadership and high level objectives	Preventive
Include loan closing in the loan administration procedures. CC ID 16734	Leadership and high level objectives	Preventive
Include payoff statements in the loan administration procedures. CC ID 16733	Leadership and high level objectives	Preventive
Include payment processing in the loan administration procedures. CC ID 16732	Leadership and high level objectives	Preventive
Include loan reviews in the loan administration procedures. CC ID 16703	Leadership and high level objectives	Preventive
Include collections in the loan administration procedures. CC ID 16701	Leadership and high level objectives	Preventive
Include collateral inspections in the loan administration procedures. CC ID 16699	Leadership and high level objectives	Preventive
Include disbursements in the loan administration procedures. CC ID 16697	Leadership and high level objectives	Preventive
Establish, implement, and maintain a dividend policy. CC ID 16569	Leadership and high level objectives	Preventive
Include compliance requirements in the dividend policy. CC ID 16570	Leadership and high level objectives	Preventive
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564	Leadership and high level objectives	Preventive
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279	Leadership and high level objectives	Preventive
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764	Leadership and high level objectives	Preventive
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692	Leadership and high level objectives	Preventive
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591	Leadership and high level objectives	Preventive
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631	Leadership and high level objectives	Preventive
Establish, implement, and maintain securities transaction notifications. CC ID 16600	Leadership and high level objectives	Preventive
Include the call date in the securities transaction notification. CC ID 16680	Leadership and high level objectives	Preventive
Include service charges and commissions in the securities transaction notification. CC ID 16702	Leadership and high level objectives	Preventive
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679	Leadership and high level objectives	Preventive
Include the call price in the securities transaction notification. CC ID 16678	Leadership and high level objectives	Preventive
Include debits and credits in the securities transaction notification. CC ID 16677	Leadership and high level objectives	Preventive
Include transactions in the securities transaction notification. CC ID 16676	Leadership and high level objectives	Preventive
Include the credit rating of securities in the securities transaction notification. CC ID 16674	Leadership and high level objectives	Preventive
Include yield information in the securities transaction notification. CC ID 16673	Leadership and high level objectives	Preventive
Include redemption information in the securities transaction notification. CC ID 16672	Leadership and high level objectives	Preventive
Include the price calculated from the yield in the securities transaction notification. CC ID 16669	Leadership and high level objectives	Preventive
Include the type of call in the securities transaction notification. CC ID 16668	Leadership and high level objectives	Preventive
Include an account statement in the securities transaction notification. CC ID 16666	Leadership and high level objectives	Preventive
Include the yield to maturity in the securities transaction notification. CC ID 16665	Leadership and high level objectives	Preventive
Include the execution price in the securities transaction notification. CC ID 16664	Leadership and high level objectives	Preventive
Include the organization's role in the securities transaction notification. CC ID 16646	Leadership and high level objectives	Preventive
Include the name of the broker in the securities transaction notification. CC ID 16647	Leadership and high level objectives	Preventive
Include the name of the customer in the securities transaction notification. CC ID 16625	Leadership and high level objectives	Preventive
Include the organization's name in the securities transaction notification. CC ID 16624	Leadership and high level objectives	Preventive
Include confirmations in the securities transaction notification. CC ID 16623	Leadership and high level objectives	Preventive
Include remunerations in the securities transaction notification. CC ID 16622	Leadership and high level objectives	Preventive
Include requested information in the securities transaction notification. CC ID 16641	Leadership and high level objectives	Preventive
Include the execution date in the securities transaction notification. CC ID 16620	Leadership and high level objectives	Preventive
Establish, implement, and maintain financial reports. CC ID 14770	Leadership and high level objectives	Preventive
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Leadership and high level objectives	Preventive
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Leadership and high level objectives	Preventive
Include the business need justification for lost value in the financial report. CC ID 15588	Leadership and high level objectives	Preventive
Include financial statements in the financial report, as necessary. CC ID 14775	Leadership and high level objectives	Preventive
Include capital deductions and adjustments in the financial statement. CC ID 16667	Leadership and high level objectives	Preventive
Include earnings per share or loss per share in the financial statement. CC ID 16597	Leadership and high level objectives	Preventive
Include material contingencies in the financial statement. CC ID 16596	Leadership and high level objectives	Preventive
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Leadership and high level objectives	Preventive
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Leadership and high level objectives	Preventive
Include assets and liabilities in the call report. CC ID 16729	Leadership and high level objectives	Preventive
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)]	Monitoring and measurement	Preventive
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Monitoring and measurement	Preventive
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Preventive
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Preventive
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Preventive
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Preventive
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Preventive
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Preventive
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Preventive
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Preventive
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Monitoring and measurement	Preventive
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Preventive
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Preventive
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Preventive
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Preventive
Include security controls in the system security plan. CC ID 14239 [Every business operator who operates and manages clustered information and communications facilities to render information and communications services on behalf of another person (hereinafter referred to as "business operator of clustered information and communications facilities") shall take protective measures as prescribed by Presidential Decree to operate the information and communications facilities stably. Article 46(1)]	Monitoring and measurement	Preventive
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Preventive
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Preventive
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Preventive
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Preventive
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Preventive
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Preventive
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Preventive
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Preventive
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Preventive
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Preventive
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Preventive
Include risks and opportunities in the corrective action plan. CC ID 15178	Monitoring and measurement	Preventive
Include environmental aspects in the corrective action plan. CC ID 15177	Monitoring and measurement	Preventive
Include the completion date in the corrective action plan. CC ID 13272	Monitoring and measurement	Preventive
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Preventive
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Preventive
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)]	Audits and risk management	Corrective
Review and approve the risk assessment findings. CC ID 06485	Audits and risk management	Preventive
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Preventive
Establish, implement, and maintain digital identification procedures. CC ID 13714 [Any of the following persons shall, if he or she intends to install and operate a message board, take necessary measures, as prescribed by Presidential Decree (hereinafter referred to as "measures for identity verification"), including preparation of methods and procedures for verifying identity of users of the message board: Article 44-5(1) {refrain from using} Even where the collection/use of users' resident registration numbers is authorized pursuant to paragraph (1) 2 or 3, an identification method without using the users' resident registration numbers (hereinafter referred to as "alternative means") shall be provided. Article 23-2(2)]	Technical security	Preventive
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Technical security	Preventive
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Preventive
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Preventive
Establish, implement, and maintain access control procedures. CC ID 11663 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Installation> and operation of an access control devicean>, such as a system for blocking intrusion to cut off illegal access to personal information; Article 28(1)(2)]	Technical security	Preventive
Document approving and granting access in the access control log. CC ID 06786	Technical security	Preventive
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171	Technical security	Preventive
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Technical security	Preventive
Include the date and time that access rights were changed in the system record. CC ID 16415	Technical security	Preventive
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Technical security	Preventive
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Technical security	Preventive
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Technical security	Preventive
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Technical security	Preventive
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Technical security	Preventive
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542	Technical security	Preventive
Define the cryptographic boundaries. CC ID 06543	Technical security	Preventive
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544	Technical security	Preventive
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545	Technical security	Preventive
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547	Technical security	Preventive
Document the operation of the cryptographic module. CC ID 06546	Technical security	Preventive
Generate and protect a secret random number for each digital signature. CC ID 06577	Technical security	Preventive
Establish the security strength requirements for the digital signature process. CC ID 06578	Technical security	Preventive
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546	Technical security	Preventive
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040	Technical security	Preventive
Establish, implement, and maintain encryption management procedures. CC ID 15475	Technical security	Preventive
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571	Technical security	Preventive
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Technical security	Preventive
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Technical security	Preventive
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Technical security	Preventive
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Technical security	Preventive
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Technical security	Preventive
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Technical security	Preventive
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Technical security	Preventive
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Technical security	Preventive
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Technical security	Preventive
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Technical security	Preventive
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Technical security	Preventive
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Technical security	Preventive
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Technical security	Preventive
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Technical security	Preventive
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Technical security	Preventive
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Technical security	Preventive
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Technical security	Preventive
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Technical security	Preventive
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that mutilates, destroys, alters, or forges an information and communications system, data, a program, or similar or that interferes with the operation of such system, data, program, or similar without a justifiable ground; Article 44-7(1)(4)]	Technical security	Preventive
Establish, implement, and maintain malicious code protection procedures. CC ID 15483	Technical security	Preventive
Establish, implement, and maintain a malicious code protection policy. CC ID 15478	Technical security	Preventive
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310	Technical security	Corrective
Establish, implement, and maintain a physical security program. CC ID 11757	Physical and environmental protection	Preventive
Establish, implement, and maintain a facility physical security program. CC ID 00711 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)]	Physical and environmental protection	Preventive
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Physical and environmental protection	Preventive
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Physical and environmental protection	Preventive
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Physical and environmental protection	Preventive
Define communication methods for reporting crimes. CC ID 06349	Physical and environmental protection	Preventive
Include identification cards or badges in the physical security program. CC ID 14818	Physical and environmental protection	Preventive
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Physical and environmental protection	Preventive
Establish, implement, and maintain floor plans. CC ID 16419	Physical and environmental protection	Preventive
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Physical and environmental protection	Preventive
Post and maintain security signage for all facilities. CC ID 02201	Physical and environmental protection	Preventive
Identify and document physical access controls for all physical entry points. CC ID 01637	Physical and environmental protection	Preventive
Establish, implement, and maintain physical access procedures. CC ID 13629	Physical and environmental protection	Preventive
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Physical and environmental protection	Preventive
Escort visitors within the facility, as necessary. CC ID 06417	Physical and environmental protection	Preventive
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Physical and environmental protection	Preventive
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Physical and environmental protection	Preventive
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Physical and environmental protection	Preventive
Establish, implement, and maintain physical identification procedures. CC ID 00713	Physical and environmental protection	Preventive
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Preventive
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Corrective
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Physical and environmental protection	Preventive
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Preventive
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Preventive
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Preventive
Include an identity registration process in the identification issuance procedures. CC ID 11671	Physical and environmental protection	Preventive
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Physical and environmental protection	Preventive
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Physical and environmental protection	Preventive
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Physical and environmental protection	Preventive
Establish, implement, and maintain a door security standard. CC ID 06686	Physical and environmental protection	Preventive
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748	Physical and environmental protection	Preventive
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Physical and environmental protection	Preventive
Establish, implement, and maintain a window security standard. CC ID 06689	Physical and environmental protection	Preventive
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Physical and environmental protection	Preventive
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Physical and environmental protection	Preventive
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Physical and environmental protection	Preventive
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Physical and environmental protection	Preventive
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Physical and environmental protection	Preventive
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Physical and environmental protection	Preventive
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Physical and environmental protection	Preventive
Record the date and time of entry in the visitor log. CC ID 13255	Physical and environmental protection	Preventive
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Physical and environmental protection	Preventive
Establish, implement, and maintain a physical access log. CC ID 12080	Physical and environmental protection	Preventive
Establish, implement, and maintain physical security threat reports. CC ID 02207	Physical and environmental protection	Preventive
Establish, implement, and maintain a facility wall standard. CC ID 06692	Physical and environmental protection	Preventive
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a continuity plan. CC ID 00752	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a recovery plan. CC ID 13288 [A business operator of clustered information and communications facilities shall, once the event that caused suspension of services terminates, resume its services immediately. Article 46-2(3)]	Operational and Systems Continuity	Preventive
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Preventive
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Preventive
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Preventive
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Preventive
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Preventive
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Preventive
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Preventive
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Preventive
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Detective
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Preventive
Include purchasing insurance in the continuity plan. CC ID 00762	Operational and Systems Continuity	Preventive
Establish, implement, and maintain a personnel management program. CC ID 14018 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)]	Human Resources management	Preventive
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760	Human Resources management	Preventive
Require all new hires to sign the Code of Conduct. CC ID 06665	Human Resources management	Preventive
Require all new hires to sign Acceptable Use Policies. CC ID 06662	Human Resources management	Preventive
Require new hires to sign nondisclosure agreements. CC ID 06668	Human Resources management	Preventive
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Preventive
Establish, implement, and maintain a personnel security policy. CC ID 14025	Human Resources management	Preventive
Include compliance requirements in the personnel security policy. CC ID 14154	Human Resources management	Preventive
Include coordination amongst entities in the personnel security policy. CC ID 14114	Human Resources management	Preventive
Include management commitment in the personnel security policy. CC ID 14113	Human Resources management	Preventive
Include roles and responsibilities in the personnel security policy. CC ID 14112	Human Resources management	Preventive
Include the scope in the personnel security policy. CC ID 14111	Human Resources management	Preventive
Include the purpose in the personnel security policy. CC ID 14110	Human Resources management	Preventive
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109	Human Resources management	Preventive
Establish, implement, and maintain personnel security procedures. CC ID 14058	Human Resources management	Preventive
Establish, implement, and maintain security clearance level criteria. CC ID 00780	Human Resources management	Preventive
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Human Resources management	Preventive
Perform a criminal records check during personnel screening. CC ID 06643	Human Resources management	Preventive
Document any reasons a full criminal records check could not be performed. CC ID 13305	Human Resources management	Preventive
Perform an academic records check during personnel screening. CC ID 06647	Human Resources management	Preventive
Document the personnel risk assessment results. CC ID 11764	Human Resources management	Detective
Establish, implement, and maintain security clearance procedures. CC ID 00783	Human Resources management	Preventive
Document the security clearance procedure results. CC ID 01635	Human Resources management	Detective
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Human Resources management	Preventive
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Human Resources management	Preventive
Include evidence of experience in applications for professional certification. CC ID 16193	Human Resources management	Preventive
Include supporting documentation in applications for professional certification. CC ID 16195	Human Resources management	Preventive
Document all training in a training record. CC ID 01423	Human Resources management	Detective
Review the current published guidance and awareness and training programs. CC ID 01245	Human Resources management	Preventive
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Preventive
Include portions of the visitor control program in the training plan. CC ID 13287	Human Resources management	Preventive
Establish, implement, and maintain a security awareness program. CC ID 11746	Human Resources management	Preventive
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Human Resources management	Preventive
Include compliance requirements in the security awareness and training policy. CC ID 14092	Human Resources management	Preventive
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Human Resources management	Preventive
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Human Resources management	Preventive
Include management commitment in the security awareness and training policy. CC ID 14049	Human Resources management	Preventive
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Human Resources management	Preventive
Include the scope in the security awareness and training policy. CC ID 14047	Human Resources management	Preventive
Include the purpose in the security awareness and training policy. CC ID 14045	Human Resources management	Preventive
Include configuration management procedures in the security awareness program. CC ID 13967	Human Resources management	Preventive
Document security awareness requirements. CC ID 12146	Human Resources management	Preventive
Include safeguards for information systems in the security awareness program. CC ID 13046	Human Resources management	Preventive
Include security policies and security standards in the security awareness program. CC ID 13045	Human Resources management	Preventive
Include mobile device security guidelines in the security awareness program. CC ID 11803	Human Resources management	Preventive
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Human Resources management	Preventive
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Human Resources management	Preventive
Include remote access in the security awareness program. CC ID 13892	Human Resources management	Preventive
Document the goals of the security awareness program. CC ID 12145	Human Resources management	Preventive
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Human Resources management	Preventive
Document the scope of the security awareness program. CC ID 12148	Human Resources management	Preventive
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Human Resources management	Preventive
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Human Resources management	Preventive
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Human Resources management	Preventive
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable way. Article 44-4 ¶ 1]	Human Resources management	Preventive
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649	Human Resources management	Preventive
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720	Human Resources management	Preventive
Include classifications of ethics violations in the Code of Conduct. CC ID 14769	Human Resources management	Preventive
Include definitions of ethics violations in the Code of Conduct. CC ID 14768	Human Resources management	Preventive
Include exercising due professional care in the Code of Conduct. CC ID 14210	Human Resources management	Preventive
Include health and safety provisions in the Code of Conduct. CC ID 16206	Human Resources management	Preventive
Include key policies in the Code of Conduct. CC ID 12890	Human Resources management	Preventive
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209	Human Resources management	Preventive
Include the vision statement in the Code of Conduct. CC ID 12889	Human Resources management	Preventive
Include the organization's mission in the Code of Conduct. CC ID 12875	Human Resources management	Preventive
Include classifications of desired conduct in the Code of Conduct. CC ID 12851	Human Resources management	Preventive
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209	Human Resources management	Preventive
Include social responsibility criteria in the Code of Conduct. CC ID 16210	Human Resources management	Preventive
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580	Human Resources management	Preventive
Include labor rights criteria in the Code of Conduct. CC ID 16208	Human Resources management	Preventive
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701	Human Resources management	Preventive
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898	Human Resources management	Detective
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846	Human Resources management	Preventive
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855	Human Resources management	Preventive
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854	Human Resources management	Preventive
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664	Human Resources management	Preventive
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666	Human Resources management	Preventive
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Preventive
Establish, implement, and maintain an internal control framework. CC ID 00820 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Establishment and implementation of an internal control plan for managing personal information in a safe way; Article 28(1)(1)]	Operational management	Preventive
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Preventive
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Preventive
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Operational management	Preventive
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Preventive
Include threat assessment in the internal control framework. CC ID 01347	Operational management	Preventive
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Operational management	Preventive
Include personnel security procedures in the internal control framework. CC ID 01349	Operational management	Preventive
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Operational management	Preventive
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Preventive
Include security information sharing procedures in the internal control framework. CC ID 06489	Operational management	Preventive
Include security incident response procedures in the internal control framework. CC ID 01359	Operational management	Preventive
Include incident response escalation procedures in the internal control framework. CC ID 11745	Operational management	Preventive
Include continuous user account management procedures in the internal control framework. CC ID 01360	Operational management	Preventive
Include emergency response procedures in the internal control framework. CC ID 06779	Operational management	Detective
Authorize and document all exceptions to the internal control framework. CC ID 06781	Operational management	Preventive
Establish, implement, and maintain an information security program. CC ID 00812 [A chief information protection officer shall be responsible for the following matters: Analysis/evaluation and improvement of the weakness of information protection; Article 45-3(3)(2) A chief information protection officer shall be responsible for the following matters: Preparation of preliminary measures for information protection and designing/realization, etc. of security measures; Article 45-3(3)(4) A chief information protection officer shall be responsible for the following matters: Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes. Article 45-3(3)(7) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Operational management	Preventive
Include physical safeguards in the information security program. CC ID 12375	Operational management	Preventive
Include technical safeguards in the information security program. CC ID 12374 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Operational management	Preventive
Include administrative safeguards in the information security program. CC ID 12373 [A chief information protection officer shall be responsible for the following matters: Establishment and administration/operation of an administrative system for information protection; Article 45-3(3)(1) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Operational management	Preventive
Include system development in the information security program. CC ID 12389	Operational management	Preventive
Include system maintenance in the information security program. CC ID 12388	Operational management	Preventive
Include system acquisition in the information security program. CC ID 12387	Operational management	Preventive
Include access control in the information security program. CC ID 12386	Operational management	Preventive
Include operations management in the information security program. CC ID 12385	Operational management	Preventive
Include communication management in the information security program. CC ID 12384	Operational management	Preventive
Include environmental security in the information security program. CC ID 12383	Operational management	Preventive
Include physical security in the information security program. CC ID 12382	Operational management	Preventive
Include human resources security in the information security program. CC ID 12381	Operational management	Preventive
Include asset management in the information security program. CC ID 12380	Operational management	Preventive
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Preventive
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Preventive
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Preventive
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Preventive
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Preventive
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Preventive
Include risk management in the information security program. CC ID 12378	Operational management	Preventive
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Preventive
Establish, implement, and maintain an information security policy. CC ID 11740	Operational management	Preventive
Include business processes in the information security policy. CC ID 16326	Operational management	Preventive
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Preventive
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Preventive
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Preventive
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Preventive
Include information security objectives in the information security policy. CC ID 13493	Operational management	Preventive
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Preventive
Include notification procedures in the information security policy. CC ID 16842	Operational management	Preventive
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Preventive
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Preventive
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Operational management	Preventive
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Preventive
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Preventive
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Preventive
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Preventive
Establish, implement, and maintain operational control procedures. CC ID 00831 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Operational management	Preventive
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Preventive
Include startup processes in operational control procedures. CC ID 00833	Operational management	Preventive
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Preventive
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Preventive
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Preventive
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Preventive
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Preventive
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Preventive
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Preventive
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Preventive
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Preventive
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Preventive
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Preventive
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Preventive
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Preventive
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Preventive
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Preventive
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Corrective
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Preventive
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Preventive
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Preventive
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Preventive
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Preventive
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Preventive
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Preventive
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Preventive
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Preventive
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Preventive
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Preventive
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Preventive
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Preventive
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Preventive
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Preventive
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Preventive
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Preventive
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Preventive
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Preventive
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Preventive
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Preventive
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Preventive
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Preventive
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Preventive
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Preventive
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Corrective
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Preventive
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Preventive
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Preventive
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Preventive
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Preventive
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Preventive
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Preventive
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Preventive
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Preventive
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Preventive
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Operational management	Preventive
Establish, implement, and maintain a service management program. CC ID 11388 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2)]	Operational management	Preventive
Include a service management plan in the service management program. CC ID 13902	Operational management	Preventive
Include the information security policy in the service management program. CC ID 13925	Operational management	Preventive
Include the change management policy in the service management program. CC ID 13923	Operational management	Preventive
Include the service management objectives in the service management program. CC ID 11389	Operational management	Preventive
Include the service requirements in the service management program. CC ID 11390	Operational management	Preventive
Include known limitations in the service management program. CC ID 11391	Operational management	Preventive
Include service management policies in the service management program. CC ID 11392	Operational management	Preventive
Assign roles and responsibilities in the service management program. CC ID 11393	Operational management	Preventive
Include all resources needed to achieve the objectives in the service management program. CC ID 11394	Operational management	Preventive
Include supply chain management procedures in the service management program. CC ID 11395	Operational management	Preventive
Include service management procedures in the service management program. CC ID 11396	Operational management	Preventive
Include risk procedures in the service management program. CC ID 11397	Operational management	Preventive
Include continuity plans in the Service Management program. CC ID 13919	Operational management	Preventive
Include all technologies used to support service management in the service management program. CC ID 11398	Operational management	Preventive
Include auditing and improving service management procedures in the service management program. CC ID 11399	Operational management	Preventive
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Preventive
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Preventive
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Preventive
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Detective
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Detective
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Corrective
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Preventive
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Preventive
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Preventive
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Preventive
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Corrective
Include information required by law in incident response notifications. CC ID 00802	Operational management	Detective
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Preventive
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Preventive
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Preventive
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Preventive
Use plain language to write incident response notifications. CC ID 12976	Operational management	Preventive
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Preventive
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Preventive
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Preventive
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Preventive
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Preventive
Include a general description of the data loss event in incident response notifications. CC ID 04734 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Operational management	Preventive
Include time information in incident response notifications. CC ID 04745	Operational management	Preventive
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Preventive
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Preventive
Include the type of information that was lost in incident response notifications. CC ID 04735 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1)]	Operational management	Preventive
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Preventive
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Preventive
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Preventive
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Preventive
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Preventive
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Preventive
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Preventive
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Preventive
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Preventive
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Preventive
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Preventive
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Detective
Include contact information in incident response notifications. CC ID 04739 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5)]	Operational management	Preventive
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Preventive
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Preventive
Include incident reporting procedures in the Incident Management program. CC ID 11772	Operational management	Preventive
Display customer security advice prominently. CC ID 13667	Operational management	Preventive
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Preventive
Create an incident response report following an incident response. CC ID 12700	Operational management	Preventive
Include information on all affected assets in the incident response report. CC ID 12718 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2)]	Operational management	Preventive
Include the duration of the incident in the incident response report. CC ID 12716 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Operational management	Preventive
Include the reasons the incident occurred in the incident response report. CC ID 12711 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Operational management	Preventive
Include when the incident occurred in the incident response report. CC ID 12709 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)]	Operational management	Preventive
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4)]	Operational management	Preventive
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{relevant authority}{loss}{theft}{leakage}{personal information} A provider of information and communications services, etc. shall explain just cause under the main sentence of and proviso to paragraph (1) to the Korea Communications Commission. Article 27-3(3)]	Operational management	Preventive
Establish, implement, and maintain an incident response plan. CC ID 12056 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)]	Operational management	Preventive
Include addressing external communications in the incident response plan. CC ID 13351	Operational management	Preventive
Include addressing internal communications in the incident response plan. CC ID 13350	Operational management	Preventive
Include change control procedures in the incident response plan. CC ID 15479	Operational management	Preventive
Include addressing information sharing in the incident response plan. CC ID 13349	Operational management	Preventive
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Operational management	Preventive
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Operational management	Preventive
Include the management support needed for incident response in the incident response plan. CC ID 14300	Operational management	Preventive
Include root cause analysis in the incident response plan. CC ID 16423	Operational management	Preventive
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Operational management	Preventive
Include the resources needed for incident response in the incident response plan. CC ID 14292	Operational management	Preventive
Establish, implement, and maintain a change control program. CC ID 00886	Operational management	Preventive
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Preventive
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3)]	Operational management	Preventive
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Preventive
Establish, implement, and maintain an authenticator standard. CC ID 01702	System hardening through configuration management	Preventive
Establish, implement, and maintain an authenticator management system. CC ID 12031	System hardening through configuration management	Preventive
Establish, implement, and maintain authenticator procedures. CC ID 12002 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of access records; Article 28(1)(3)]	System hardening through configuration management	Preventive
Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717	System hardening through configuration management	Preventive
Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718	System hardening through configuration management	Preventive
Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719	System hardening through configuration management	Preventive
Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720	System hardening through configuration management	Preventive
Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722	System hardening through configuration management	Preventive
Configure the "password reuse" setting to organizational standards. CC ID 08724	System hardening through configuration management	Preventive
Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721	System hardening through configuration management	Preventive
Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723	System hardening through configuration management	Preventive
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Preventive
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Detective
Establish, implement, and maintain a data retention program. CC ID 00906	Records management	Detective
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Preventive
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Records management	Preventive
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Records management	Preventive
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Preventive
Establish, implement, and maintain security label procedures. CC ID 06747	Records management	Preventive
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 [A person who provides information to the general public purposely to make it public through telecommunications services rendered by a telecommunications business operator (hereinafter referred to as "information provider") and who intends to provide any unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act shall put a label indicating that the information is an unwholesome medium for juvenile by the labeling method specified by Presidential Decree. Article 42 ¶ 1]	Records management	Preventive
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Preventive
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Preventive
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Preventive
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Preventive
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Preventive
Establish, implement, and maintain a system design specification. CC ID 04557	Systems design, build, and implementation	Preventive
Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793	Systems design, build, and implementation	Preventive
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182	Acquisition or sale of facilities, technology, and services	Preventive
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized manipulation}The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Systematic and technical measures for preventing unlawful destruction or manipulation of information; Article 51(3)(2)]	Privacy protection for information and data	Preventive
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Privacy protection for information and data	Preventive
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Preventive
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Privacy protection for information and data	Preventive
Include the processing purpose in the privacy notice. CC ID 16543	Privacy protection for information and data	Preventive
Include contact information in the privacy notice. CC ID 14432 [{be responsible}The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name and address of the person responsible for protection of personal information or the department responsible for business affairs related to the protection of personal information and processing related complaints and other contact information of such person or department. Article 27-2(2)(7)]	Privacy protection for information and data	Preventive
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Privacy protection for information and data	Preventive
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Preventive
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Privacy protection for information and data	Preventive
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Privacy protection for information and data	Preventive
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Privacy protection for information and data	Preventive
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Privacy protection for information and data	Preventive
Include the personal data collection categories in the privacy notice. CC ID 13457	Privacy protection for information and data	Preventive
Include disclosure exceptions in the privacy notice. CC ID 13447	Privacy protection for information and data	Preventive
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Privacy protection for information and data	Preventive
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Preventive
Specify the time frame that notice will be given. CC ID 00385	Privacy protection for information and data	Preventive
Include the information about the appeal process in the privacy notice. CC ID 15312 [{information}{violate}{right} Every provider of information and communications services shall clearly state the details, procedure, and other matters concerning necessary measures in its standardized agreement in advance. Article 44-2(5)]	Privacy protection for information and data	Preventive
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Privacy protection for information and data	Preventive
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Preventive
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Privacy protection for information and data	Corrective
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Privacy protection for information and data	Preventive
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Privacy protection for information and data	Preventive
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Privacy protection for information and data	Preventive
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Privacy protection for information and data	Preventive
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Preventive
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Preventive
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Preventive
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Privacy protection for information and data	Preventive
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Preventive
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Preventive
Provide the data subject with a notice of participation procedures. CC ID 06241	Privacy protection for information and data	Preventive
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Preventive
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Preventive
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Preventive
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Preventive
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Preventive
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Preventive
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Preventive
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Preventive
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Preventive
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Preventive
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Preventive
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Preventive
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Privacy protection for information and data	Preventive
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Privacy protection for information and data	Preventive
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Preventive
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Preventive
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Preventive
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Preventive
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Preventive
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Preventive
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Preventive
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)]	Privacy protection for information and data	Preventive
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or similar falling under the standards determined by Presidential Decree shall periodically notify the users of the details of using personal information of such users (including details of the provision under Article 24-2 and of the entrustment of management of personal information under Article 25) in accordance with Article 22 and the proviso to Article 23 (1): Provided, That this shall not apply in cases where the provider of information and communications services or similar does not collect any contact information or other personal information that can be notified to users. Article 30-2(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)]	Privacy protection for information and data	Preventive
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Preventive
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Preventive
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Preventive
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Preventive
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1)]	Privacy protection for information and data	Preventive
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Preventive
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Preventive
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Preventive
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The name (referring to the name of a legal corporation, if the person is a legal corporation; hereafter the same shall apply in this Article), address, and telephone number of a person to whom the personal information is to be transferred (hereinafter referred to as a "transferee of business or similar"), and other contact information of the person; Article 26(1)(2) If any personal information is transferred to a transferee of business, etc., he or she shall immediately notify the users of such fact and his or her name, domicile, telephone number and other contact details according to methods prescribed by Presidential Decree, such as the posting of such information on the Internet homepage or email. Article 26(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The name of the person to whom the personal information is to be transferred (referring to the name of a legal entity and the contact information of the person responsible for management of information, if the person is a legal entity); Article 63(3)(3)]	Privacy protection for information and data	Preventive
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Preventive
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Preventive
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Preventive
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Preventive
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Preventive
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Preventive
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Preventive
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Privacy protection for information and data	Preventive
Make telephone directory information available to the public. CC ID 08698	Privacy protection for information and data	Preventive
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy policy. CC ID 06281 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)]	Privacy protection for information and data	Preventive
Include the data subject's rights in the privacy policy. CC ID 16355	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Privacy protection for information and data	Preventive
Document privacy policies in clearly written and easily understood language. CC ID 00376	Privacy protection for information and data	Detective
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Privacy protection for information and data	Preventive
Write privacy notices in the official languages required by law. CC ID 16529	Privacy protection for information and data	Preventive
Define what is included in the privacy policy. CC ID 00404	Privacy protection for information and data	Preventive
Define the information being collected in the privacy policy. CC ID 13115 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Privacy protection for information and data	Preventive
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Privacy protection for information and data	Preventive
Include the means by which information is collected in the privacy policy. CC ID 13114 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Privacy protection for information and data	Preventive
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Privacy protection for information and data	Corrective
Include roles and responsibilities in the privacy policy. CC ID 14669	Privacy protection for information and data	Preventive
Include management commitment in the privacy policy. CC ID 14668	Privacy protection for information and data	Preventive
Include coordination amongst entities in the privacy policy. CC ID 14667	Privacy protection for information and data	Preventive
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Privacy protection for information and data	Preventive
Include compliance requirements in the privacy policy. CC ID 14666	Privacy protection for information and data	Preventive
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Privacy protection for information and data	Preventive
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Privacy protection for information and data	Corrective
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Privacy protection for information and data	Preventive
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Privacy protection for information and data	Preventive
Include a complaint form in the privacy policy. CC ID 12364	Privacy protection for information and data	Preventive
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Privacy protection for information and data	Preventive
Include the processing purpose in the privacy policy. CC ID 00406 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)]	Privacy protection for information and data	Preventive
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Privacy protection for information and data	Preventive
Include the data subject categories being processed in the privacy policy. CC ID 00407 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Privacy protection for information and data	Preventive
Define the retention period for collected information in the privacy policy. CC ID 13116 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Privacy protection for information and data	Preventive
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Privacy protection for information and data	Preventive
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)]	Privacy protection for information and data	Preventive
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Privacy protection for information and data	Preventive
Include instructions on how to opt-out in the privacy policy. CC ID 00411	Privacy protection for information and data	Preventive
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363	Privacy protection for information and data	Preventive
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Privacy protection for information and data	Preventive
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6)]	Privacy protection for information and data	Preventive
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Privacy protection for information and data	Preventive
Post the privacy policy in an easily seen location. CC ID 00401	Privacy protection for information and data	Preventive
Define who will receive the privacy policy. CC ID 00402	Privacy protection for information and data	Preventive
Establish, implement, and maintain privacy procedures. CC ID 14665	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy plan. CC ID 14672	Privacy protection for information and data	Preventive
Include privacy requirements in the privacy plan. CC ID 14699	Privacy protection for information and data	Preventive
Include the information types in the privacy plan. CC ID 14695	Privacy protection for information and data	Preventive
Include threats in the privacy plan. CC ID 14694	Privacy protection for information and data	Preventive
Include roles and responsibilities in the privacy plan. CC ID 14702	Privacy protection for information and data	Preventive
Include a description of the operational context in the privacy plan. CC ID 14692	Privacy protection for information and data	Preventive
Include risk assessment results in the privacy plan. CC ID 14701	Privacy protection for information and data	Preventive
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Privacy protection for information and data	Preventive
Include security controls in the privacy plan. CC ID 14681	Privacy protection for information and data	Preventive
Include a description of the operational environment in the privacy plan. CC ID 14679	Privacy protection for information and data	Preventive
Include network diagrams in the privacy plan. CC ID 14678	Privacy protection for information and data	Preventive
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy report. CC ID 14754	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A person who obtains consent to receive advertising information pursuant to paragraph (1) or (3) shall regularly verify whether an addressee of advertising information consents to receive such information, as prescribed by Presidential Decree. Article 50(8)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request procedures. CC ID 16546	Privacy protection for information and data	Preventive
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3)]	Privacy protection for information and data	Preventive
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)]	Privacy protection for information and data	Preventive
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Privacy protection for information and data	Preventive
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Privacy protection for information and data	Preventive
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Privacy protection for information and data	Preventive
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Privacy protection for information and data	Preventive
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Privacy protection for information and data	Preventive
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Privacy protection for information and data	Preventive
Include agreement termination information in the disclosure authorization form. CC ID 13437	Privacy protection for information and data	Preventive
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Preventive
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Preventive
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Preventive
Submit a safe harbor self-certification letter. CC ID 06871	Privacy protection for information and data	Preventive
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Privacy protection for information and data	Preventive
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Privacy protection for information and data	Preventive
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Privacy protection for information and data	Preventive
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Privacy protection for information and data	Preventive
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Privacy protection for information and data	Preventive
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Privacy protection for information and data	Preventive
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Privacy protection for information and data	Preventive
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Privacy protection for information and data	Preventive
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Privacy protection for information and data	Preventive
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Privacy protection for information and data	Preventive
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Privacy protection for information and data	Preventive
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Privacy protection for information and data	Preventive
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Privacy protection for information and data	Preventive
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Privacy protection for information and data	Preventive
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Privacy protection for information and data	Preventive
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Privacy protection for information and data	Preventive
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Privacy protection for information and data	Preventive
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Privacy protection for information and data	Preventive
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Privacy protection for information and data	Preventive
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Privacy protection for information and data	Preventive
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A provider, etc. of information and communications shall, when entrusting a trustee with management of personal information, do so in writing. Article 25(6)]	Privacy protection for information and data	Preventive
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Preventive
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Privacy protection for information and data	Preventive
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Preventive
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Privacy protection for information and data	Preventive
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)]	Privacy protection for information and data	Preventive
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Privacy protection for information and data	Preventive
Include the duration of processing in the Data Processing Contract. CC ID 14935	Privacy protection for information and data	Preventive
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Preventive
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Privacy protection for information and data	Preventive
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Privacy protection for information and data	Preventive
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Privacy protection for information and data	Preventive
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Privacy protection for information and data	Preventive
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Preventive
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Preventive
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Preventive
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Preventive
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Preventive
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Preventive
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Preventive
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Preventive
Establish, implement, and maintain data access procedures. CC ID 00414 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)]	Privacy protection for information and data	Preventive
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Privacy protection for information and data	Preventive
Define what is to be included in a data access request. CC ID 08699	Privacy protection for information and data	Preventive
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Privacy protection for information and data	Preventive
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)]	Privacy protection for information and data	Preventive
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Preventive
Notify third parties of data access requests that relates to the third party. CC ID 08703	Privacy protection for information and data	Preventive
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [{refrain from using}{be different} No provider of information and communications services may use personal information collected in accordance with Article 22 and the proviso to Article 23 (1) for any purpose other than the purpose consented by the relevant user or the purpose specified in any subparagraph of Article 22 (2). Article 24 ¶ 1]	Privacy protection for information and data	Preventive
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Privacy protection for information and data	Preventive
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Privacy protection for information and data	Preventive
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Preventive
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Preventive
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Preventive
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Preventive
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Preventive
Define security breach notification requirement exceptions. CC ID 04797	Privacy protection for information and data	Preventive
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Privacy protection for information and data	Preventive
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Preventive
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Privacy protection for information and data	Preventive
Define how a data subject may give consent. CC ID 00160	Privacy protection for information and data	Preventive
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Privacy protection for information and data	Detective
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1) The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, "background-color:#B7D8ED;" class="term_primary-verb">take necessary " class="term_primary-noun">measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, take necessary measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. Article 29(2)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3) If a user withdraws his or her consent pursuant to paragraph (1), a provider of information and communications services, etc. shall immediately take necessary measures, such as the destruction of collected personal information in an irrecoverable or in unreproducible way. Article 30(3)]	Privacy protection for information and data	Preventive
Document the redisclosing restricted data exceptions. CC ID 00170	Privacy protection for information and data	Preventive
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Preventive
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Preventive
Establish, implement, and maintain data request denial procedures. CC ID 00434	Privacy protection for information and data	Preventive
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Preventive
Include cookie management in the privacy framework. CC ID 13809	Privacy protection for information and data	Preventive
Establish, implement, and maintain cookie management procedures. CC ID 13810	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Preventive
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Preventive
Post the collection purpose. CC ID 00101 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Privacy protection for information and data	Preventive
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Preventive
Establish and maintain a personal data definition. CC ID 00028	Privacy protection for information and data	Preventive
Include the number of children in the personal data definition. CC ID 13759	Privacy protection for information and data	Preventive
Include the individual's religion in the personal data definition. CC ID 13765	Privacy protection for information and data	Preventive
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Privacy protection for information and data	Preventive
Include an individual's license plate number in the personal data definition. CC ID 13763	Privacy protection for information and data	Preventive
Include an individual's account balances in the personal data definition. CC ID 13770	Privacy protection for information and data	Preventive
Include an individual's logon credentials in the personal data definition. CC ID 13771	Privacy protection for information and data	Preventive
Include an individual's military identification number in the personal data definition. CC ID 13083	Privacy protection for information and data	Preventive
Refrain from including publicly available information in the personal data definition. CC ID 13084	Privacy protection for information and data	Preventive
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Preventive
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Privacy protection for information and data	Preventive
Provide the data subject with the data collector's name and contact information. CC ID 00024 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)]	Privacy protection for information and data	Preventive
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Privacy protection for information and data	Preventive
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Trade name and contact information of the other party (referring to a person who sells and/or provides goods/services in a transaction through telecommunications billing services; hereinafter referred to as "other party to a transaction"); Article 58(1)(2)]	Privacy protection for information and data	Preventive
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling policies. CC ID 00353 [{do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Privacy protection for information and data	Preventive
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that divulges a secret classified by statutes or any other State secret; Article 44-7(1)(7) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Detective
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Privacy protection for information and data	Preventive
Establish, implement, and maintain call metadata controls. CC ID 04790	Privacy protection for information and data	Preventive
Establish, implement, and maintain data handling procedures. CC ID 11756	Privacy protection for information and data	Preventive
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Preventive
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Preventive
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Privacy protection for information and data	Preventive
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Privacy protection for information and data	Preventive
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Preventive
Document transfer disagreements by the data subject in writing. CC ID 00348	Privacy protection for information and data	Preventive
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Privacy protection for information and data	Preventive
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Privacy protection for information and data	Preventive
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy impact assessment. CC ID 13712	Privacy protection for information and data	Preventive
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Privacy protection for information and data	Preventive
Include how to grant consent in the privacy impact assessment. CC ID 15519	Privacy protection for information and data	Preventive
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Privacy protection for information and data	Preventive
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Privacy protection for information and data	Preventive
Include data handling procedures in the privacy impact assessment. CC ID 15516	Privacy protection for information and data	Preventive
Include the intended use of information in the privacy impact assessment. CC ID 15515	Privacy protection for information and data	Preventive
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Privacy protection for information and data	Preventive
File privacy rights violation complaints in writing. CC ID 00477	Privacy protection for information and data	Corrective
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Privacy protection for information and data	Corrective
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Privacy protection for information and data	Preventive
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Every provider of telecommunications billing services may install and operate an institution or organization that voluntary resolves disputes to protect rights and interests of users. Article 59(1) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Privacy protection for information and data	Preventive
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Preventive
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Preventive
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Privacy protection for information and data	Preventive
Document unresolved challenges. CC ID 13568	Privacy protection for information and data	Preventive
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Preventive
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)]	Privacy protection for information and data	Preventive
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Privacy protection for information and data	Preventive
Include the allegations against the organization in the notice of investigation. CC ID 13031	Privacy protection for information and data	Preventive
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Privacy protection for information and data	Corrective
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Privacy protection for information and data	Detective
Define the organization's liability based on the applicable law. CC ID 00504 [If the trustee violates any provision of this Chapter in connection with the business affairs related to the entrustment of management of personal information and inflicts damages upon a user, the trustee shall be deemed an employee of the provider of information and communications services or similar in determining liability for such damages. Article 25(5) A provider of information and communications services may, if he or she takes necessary measures under paragraph (2) for the informations circulated through the information and communications network operated and managed by it, have its liability for damages caused by such informations mitigated or discharged. Article 44-2(6) A provider of telecommunications billing services shall be liable for damages caused to a user of the telecommunications billing services while rendering the services: Provided, That the same shall not apply in cases where the damages were caused by an intentional act or gross negligence on the part of the user of the telecommunications billing services. Article 60(1)]	Privacy protection for information and data	Preventive
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Preventive
Define the appeal process based on the applicable law. CC ID 00506	Privacy protection for information and data	Preventive
Provide notice of proposed penalties. CC ID 06216	Privacy protection for information and data	Preventive
Establish, implement, and maintain an anti-spam policy. CC ID 00283	Privacy protection for information and data	Preventive
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300	Privacy protection for information and data	Preventive
Establish, implement, and maintain a supply chain management program. CC ID 11742 [A person who has commissioned a third party to transmit advertising information for profit on his or her behalf shall control and oversee the person to whom the transmission was commissioned to ensure that the person does not violate Article 50. Article 50-3(1) A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)]	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If transmission or reception of advertising information hinders or is likely to hinder rendering the services; Article 50-4(1)(1) Any provider of information and communications services or similar shall not conclude an international contract with any term or condition in violation of this Act with respect to personal information of users. Article 63(1) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)]	Third Party and supply chain oversight	Preventive
Review and update all contracts, as necessary. CC ID 11612	Third Party and supply chain oversight	Preventive
Document and maintain supply chain processes. CC ID 08816	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain an exit plan. CC ID 15492	Third Party and supply chain oversight	Preventive
Include roles and responsibilities in the exit plan. CC ID 15497	Third Party and supply chain oversight	Preventive
Include contingency plans in the third party management plan. CC ID 10030	Third Party and supply chain oversight	Preventive
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Third Party and supply chain oversight	Preventive
Include a description of the product or service to be provided in third party contracts. CC ID 06509	Third Party and supply chain oversight	Preventive
Include a description of the products or services fees in third party contracts. CC ID 10018	Third Party and supply chain oversight	Preventive
Include which parties are responsible for which fees in third party contracts. CC ID 10019	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543	Third Party and supply chain oversight	Preventive
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Third Party and supply chain oversight	Preventive
Include the security requirements in the information flow agreement. CC ID 14244	Third Party and supply chain oversight	Preventive
Include the interface characteristics in the information flow agreement. CC ID 14240	Third Party and supply chain oversight	Preventive
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528	Third Party and supply chain oversight	Preventive
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529	Third Party and supply chain oversight	Preventive
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020	Third Party and supply chain oversight	Preventive
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Third Party and supply chain oversight	Preventive
Include text about data ownership in third party contracts. CC ID 06502	Third Party and supply chain oversight	Preventive
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503	Third Party and supply chain oversight	Preventive
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Third Party and supply chain oversight	Preventive
Include the contract duration in third party contracts. CC ID 16221	Third Party and supply chain oversight	Preventive
Include roles and responsibilities in third party contracts. CC ID 13487	Third Party and supply chain oversight	Preventive
Include cryptographic keys in third party contracts. CC ID 16179	Third Party and supply chain oversight	Preventive
Include bankruptcy provisions in third party contracts. CC ID 16519	Third Party and supply chain oversight	Preventive
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Third Party and supply chain oversight	Preventive
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Third Party and supply chain oversight	Preventive
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507	Third Party and supply chain oversight	Preventive
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508	Third Party and supply chain oversight	Preventive
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513	Third Party and supply chain oversight	Preventive
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515	Third Party and supply chain oversight	Preventive
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504	Third Party and supply chain oversight	Preventive
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518	Third Party and supply chain oversight	Preventive
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525	Third Party and supply chain oversight	Preventive
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530	Third Party and supply chain oversight	Preventive
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Third Party and supply chain oversight	Preventive
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531	Third Party and supply chain oversight	Preventive
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878	Third Party and supply chain oversight	Preventive
Include a reporting structure in third party contracts. CC ID 06532	Third Party and supply chain oversight	Preventive
Include points of contact in third party contracts. CC ID 12355	Third Party and supply chain oversight	Preventive
Include financial reporting in third party contracts, as necessary. CC ID 13573	Third Party and supply chain oversight	Preventive
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512	Third Party and supply chain oversight	Preventive
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514	Third Party and supply chain oversight	Preventive
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516	Third Party and supply chain oversight	Preventive
Include an indemnification and liability clause in third party contracts. CC ID 06517	Third Party and supply chain oversight	Preventive
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521	Third Party and supply chain oversight	Preventive
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522	Third Party and supply chain oversight	Preventive
Include text regarding foreign-based third parties in third party contracts. CC ID 06722	Third Party and supply chain oversight	Preventive
Include change control clauses in third party contracts, as necessary. CC ID 06523	Third Party and supply chain oversight	Preventive
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115	Third Party and supply chain oversight	Preventive
Include triggers for renegotiating the contract in third party contracts. CC ID 06527	Third Party and supply chain oversight	Preventive
Include change control notification processes in third party contracts. CC ID 06524 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)]	Third Party and supply chain oversight	Preventive
Include cost structure changes in third party contracts. CC ID 10021	Third Party and supply chain oversight	Preventive
Include a choice of venue clause in third party contracts. CC ID 06520	Third Party and supply chain oversight	Preventive
Include a dispute resolution clause in third party contracts. CC ID 06519 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Third Party and supply chain oversight	Preventive
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Third Party and supply chain oversight	Preventive
Include a termination provision clause in third party contracts. CC ID 01367 [If a provider of information and communications services intends to take any measure for refusal under paragraph (1) or (4), he or she shall include matters concerning the refusal of the relevant services in the terms and conditions of a contract for use of information and communications services which he or she concludes with the user of such services. Article 50-4(2)]	Third Party and supply chain oversight	Detective
Include early termination contingency plans in the third party contracts. CC ID 06526	Third Party and supply chain oversight	Preventive
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Third Party and supply chain oversight	Preventive
Include termination costs in third party contracts. CC ID 10023	Third Party and supply chain oversight	Preventive
Include text about obtaining adequate insurance in third party contracts. CC ID 06880	Third Party and supply chain oversight	Preventive
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214	Third Party and supply chain oversight	Preventive
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3) A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)]	Third Party and supply chain oversight	Preventive
Include end-of-life information in third party contracts. CC ID 15265	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 [A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)]	Third Party and supply chain oversight	Preventive
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Third Party and supply chain oversight	Preventive
Include requirements for alternate processing facilities in third party contracts. CC ID 13059	Third Party and supply chain oversight	Preventive
Document the organization's supply chain in the supply chain management program. CC ID 09958	Third Party and supply chain oversight	Preventive
Document supply chain dependencies in the supply chain management program. CC ID 08900	Third Party and supply chain oversight	Detective
Establish and maintain a Third Party Service Provider list. CC ID 12480	Third Party and supply chain oversight	Preventive
Include required information in the Third Party Service Provider list. CC ID 14429	Third Party and supply chain oversight	Preventive
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Third Party and supply chain oversight	Preventive
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Third Party and supply chain oversight	Preventive
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Third Party and supply chain oversight	Preventive
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Third Party and supply chain oversight	Preventive
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481	Third Party and supply chain oversight	Preventive
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Third Party and supply chain oversight	Preventive
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Third Party and supply chain oversight	Preventive
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Third Party and supply chain oversight	Preventive
Document the supply chain's critical paths in the supply chain management program. CC ID 10032	Third Party and supply chain oversight	Preventive
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain Operational Level Agreements. CC ID 13637	Third Party and supply chain oversight	Preventive
Include technical processes in operational level agreements, as necessary. CC ID 13639	Third Party and supply chain oversight	Preventive
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842	Third Party and supply chain oversight	Detective
Approve all Service Level Agreements. CC ID 00843	Third Party and supply chain oversight	Detective
Document all chargeable items in Service Level Agreements. CC ID 00844	Third Party and supply chain oversight	Detective
Categorize all suppliers in the supply chain management program. CC ID 00792	Third Party and supply chain oversight	Preventive
Include risk management procedures in the supply chain management policy. CC ID 08811	Third Party and supply chain oversight	Preventive
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Third Party and supply chain oversight	Preventive
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Third Party and supply chain oversight	Preventive
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Third Party and supply chain oversight	Preventive
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a supply chain management policy. CC ID 08808	Third Party and supply chain oversight	Preventive
Include supplier assessment principles in the supply chain management policy. CC ID 08809	Third Party and supply chain oversight	Preventive
Include the third party selection process in the supply chain management policy. CC ID 13132	Third Party and supply chain oversight	Preventive
Select suppliers based on their qualifications. CC ID 00795	Third Party and supply chain oversight	Preventive
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133	Third Party and supply chain oversight	Preventive
Include a clear management process in the supply chain management policy. CC ID 08810	Third Party and supply chain oversight	Preventive
Include roles and responsibilities in the supply chain management policy. CC ID 15499	Third Party and supply chain oversight	Preventive
Include third party due diligence standards in the supply chain management policy. CC ID 08812	Third Party and supply chain oversight	Preventive
Require suppliers to commit to the supply chain management policy. CC ID 08813	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain a conflict minerals policy. CC ID 08943	Third Party and supply chain oversight	Preventive
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944	Third Party and supply chain oversight	Preventive
Include all in scope materials in the conflict minerals policy. CC ID 08945	Third Party and supply chain oversight	Preventive
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946	Third Party and supply chain oversight	Preventive
Include all applicable authority documents in the conflict minerals policy. CC ID 08947	Third Party and supply chain oversight	Preventive
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948	Third Party and supply chain oversight	Preventive
Establish and maintain a conflict materials report. CC ID 08823	Third Party and supply chain oversight	Preventive
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820	Third Party and supply chain oversight	Preventive
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821	Third Party and supply chain oversight	Preventive
Establish, implement, and maintain outsourcing contracts. CC ID 13124	Third Party and supply chain oversight	Preventive
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{business affair}{personal information} A trustee may re-entrust a third party with affairs entrusted pursuant to paragraph (1) only where the trustee obtains consent from the provider, etc. of information and communications services. Article 25(7)]	Third Party and supply chain oversight	Preventive

Human Resources Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Preventive
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Technical security	Preventive
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Preventive
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Preventive
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Preventive
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Preventive
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Preventive
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Preventive
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Preventive
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Preventive
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Preventive
Categorize the gender of all employees. CC ID 15609	Human Resources management	Preventive
Categorize all employees by racial groups and ethnic groups. CC ID 15627	Human Resources management	Preventive
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822	Human Resources management	Preventive
Establish and maintain Personnel Files for all employees. CC ID 12438	Human Resources management	Preventive
Include credit check results in each employee's personnel file. CC ID 12447	Human Resources management	Preventive
Include any criminal records in each employee's personnel file. CC ID 12446	Human Resources management	Preventive
Include all employee information in each employee's personnel file. CC ID 12445	Human Resources management	Preventive
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444	Human Resources management	Preventive
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441	Human Resources management	Preventive
Include referral follow-up results in each employee's personnel file. CC ID 12440	Human Resources management	Preventive
Include background check results in each employee's personnel file. CC ID 12439	Human Resources management	Preventive
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761	Human Resources management	Preventive
Establish, implement, and maintain staff position risk designations. CC ID 14280	Human Resources management	Preventive
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources management	Detective
Perform a background check during personnel screening. CC ID 11758	Human Resources management	Detective
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources management	Preventive
Perform a personal references check during personnel screening. CC ID 06645	Human Resources management	Preventive
Perform a credit check during personnel screening. CC ID 06646	Human Resources management	Preventive
Perform a resume check during personnel screening. CC ID 06659	Human Resources management	Preventive
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources management	Preventive
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources management	Preventive
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources management	Preventive
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources management	Detective
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources management	Preventive
Establish and maintain security clearances. CC ID 01634	Human Resources management	Preventive
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources management	Preventive
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources management	Preventive
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources management	Preventive
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources management	Corrective
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources management	Preventive
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources management	Detective
Support certification programs as viable training programs. CC ID 13268	Human Resources management	Preventive
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources management	Preventive
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources management	Preventive
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources management	Preventive
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources management	Preventive
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources management	Preventive
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources management	Preventive
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029	Human Resources management	Preventive
Establish, implement, and maintain an ethics program. CC ID 11496	Human Resources management	Preventive
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Preventive
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Preventive
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{refrain from refusing}{do not consent}{not necessary} No provider of information and communications services shall refuse to provide the relevant services to users on the ground that the users give no consent to the establishment of access authority not certainly necessary to provide the relevant services. Article 22-2(2) {refrain from refusing} No provider of information and communications services shall refuse to provide such services on the ground that a user does not provide personal information other than the minimum personal information required. In such cases, the minimum personal information required means information that is specifically required to perform essential functions of the relevant services. Article 23(3) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)]	Privacy protection for information and data	Preventive
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Privacy protection for information and data	Preventive
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Privacy protection for information and data	Preventive
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Privacy protection for information and data	Preventive
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Privacy protection for information and data	Preventive
Review compliance with the organization's privacy objectives. CC ID 13490	Privacy protection for information and data	Detective
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Preventive
Require third parties to employ a Chief Information Security Officer. CC ID 12057	Third Party and supply chain oversight	Preventive

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Investigate

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Check the list of material topics for completeness. CC ID 15692	Leadership and high level objectives	Preventive
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757	Leadership and high level objectives	Detective
Determine the amount of assets to be held in escrow. CC ID 16575	Leadership and high level objectives	Detective
Verify proof of identity records. CC ID 13761	Technical security	Detective
Scan for malicious code, as necessary. CC ID 11941	Technical security	Detective
Detect anomalies in physical barriers. CC ID 13533	Physical and environmental protection	Detective
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Physical and environmental protection	Detective
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Detective
Perform social network analysis, as necessary. CC ID 14864	Operational management	Detective
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Detective
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Detective
Confirm the data quality of personal data collected from third parties. CC ID 13510	Privacy protection for information and data	Detective
Review the methods for collecting personal data, as necessary. CC ID 13511	Privacy protection for information and data	Detective
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Detective

Log Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Detective
Establish and maintain a visitor log. CC ID 00715	Physical and environmental protection	Preventive
Record the visitor's name in the visitor log. CC ID 00557	Physical and environmental protection	Preventive
Record the visitor's organization in the visitor log. CC ID 12121	Physical and environmental protection	Preventive
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Physical and environmental protection	Preventive
Retain all records in the visitor log as prescribed by law. CC ID 00572	Physical and environmental protection	Preventive
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Physical and environmental protection	Preventive
Log when the vault is accessed. CC ID 06725	Physical and environmental protection	Detective
Log when the cabinet is accessed. CC ID 11674	Physical and environmental protection	Detective
Store facility access logs in off-site storage. CC ID 06958	Physical and environmental protection	Preventive
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Corrective
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Detective
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Preventive
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Preventive
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Detective
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Detective

Monitor and Evaluate Occurrences

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Preventive
Monitor the performance of the margin system. CC ID 16655	Leadership and high level objectives	Detective
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Preventive
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726	Monitoring and measurement	Detective
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)]	Monitoring and measurement	Detective
Include monitoring in the corrective action plan. CC ID 11645	Monitoring and measurement	Detective
Enforce information flow control. CC ID 11781	Technical security	Preventive
Log and react to all malicious code activity. CC ID 07072	Technical security	Detective
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Physical and environmental protection	Preventive
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Physical and environmental protection	Detective
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Physical and environmental protection	Preventive
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Physical and environmental protection	Detective
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Physical and environmental protection	Detective
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Physical and environmental protection	Detective
Monitor for alarmed security doors being propped open. CC ID 06684	Physical and environmental protection	Detective
Identify and watch individuals that pose a risk to the organization. CC ID 10674	Human Resources management	Detective
Monitor and measure the effectiveness of security awareness. CC ID 06262	Human Resources management	Detective
Analyze and evaluate training records to improve the training program. CC ID 06380	Human Resources management	Detective
Monitor and review the effectiveness of the information security program. CC ID 12744 [A chief information protection officer shall be responsible for the following matters: Review of a preliminary security for information protection; Article 45-3(3)(5)]	Operational management	Preventive
Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639	Systems design, build, and implementation	Detective
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Preventive
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Detective
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Corrective
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Detective
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Detective
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Preventive
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Preventive
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Preventive

Physical and Environmental Protection

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Protect the facility from crime. CC ID 06347	Physical and environmental protection	Preventive
Protect facilities from eavesdropping. CC ID 02222	Physical and environmental protection	Preventive
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and environmental protection	Detective
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and environmental protection	Preventive
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and environmental protection	Preventive
Create security zones in facilities, as necessary. CC ID 16295	Physical and environmental protection	Preventive
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and environmental protection	Preventive
Inspect items brought into the facility. CC ID 06341	Physical and environmental protection	Preventive
Maintain all physical security systems. CC ID 02206	Physical and environmental protection	Preventive
Maintain all security alarm systems. CC ID 11669	Physical and environmental protection	Preventive
Control physical access to (and within) the facility. CC ID 01329	Physical and environmental protection	Preventive
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and environmental protection	Preventive
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and environmental protection	Detective
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Preventive
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and environmental protection	Preventive
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and environmental protection	Corrective
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Preventive
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Preventive
Manage visitor identification inside the facility. CC ID 11670	Physical and environmental protection	Preventive
Secure unissued visitor identification badges. CC ID 06712	Physical and environmental protection	Preventive
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Preventive
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and environmental protection	Preventive
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Preventive
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Preventive
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Preventive
Prevent tailgating through physical entry points. CC ID 06685	Physical and environmental protection	Preventive
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and environmental protection	Preventive
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and environmental protection	Preventive
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and environmental protection	Preventive
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and environmental protection	Preventive
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and environmental protection	Preventive
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and environmental protection	Preventive
Screen incoming mail and deliveries. CC ID 06719	Physical and environmental protection	Preventive
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and environmental protection	Preventive
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and environmental protection	Preventive
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and environmental protection	Preventive
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and environmental protection	Preventive
Establish a security room, if necessary. CC ID 00738	Physical and environmental protection	Preventive
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and environmental protection	Preventive
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and environmental protection	Preventive
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and environmental protection	Preventive
Lock all lockable equipment cabinets. CC ID 11673	Physical and environmental protection	Detective
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and environmental protection	Preventive
Monitor physical entry point alarms. CC ID 01639	Physical and environmental protection	Detective
Build and maintain fencing, as necessary. CC ID 02235	Physical and environmental protection	Preventive
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and environmental protection	Preventive
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and environmental protection	Preventive
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and environmental protection	Preventive
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561	Third Party and supply chain oversight	Preventive

Process or Activity

117

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Review and approve the material topics, as necessary. CC ID 15670	Leadership and high level objectives	Preventive
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814	Leadership and high level objectives	Preventive
Identify events that may affect organizational objectives. CC ID 12961	Leadership and high level objectives	Preventive
Identify conditions that may affect organizational objectives. CC ID 12958	Leadership and high level objectives	Preventive
Identify how opportunities, threats, and external requirements are trending. CC ID 12829	Leadership and high level objectives	Preventive
Identify relationships between opportunities, threats, and external requirements. CC ID 12805	Leadership and high level objectives	Preventive
Include ongoing monitoring in the financial management program. CC ID 16762	Leadership and high level objectives	Preventive
Employ tools to manage settlement and funding flows. CC ID 16743	Leadership and high level objectives	Preventive
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694	Leadership and high level objectives	Preventive
Analyze the effectiveness of the stress test plan. CC ID 16657	Leadership and high level objectives	Detective
Align the lending policy with the organization's risk acceptance level. CC ID 16716	Leadership and high level objectives	Preventive
Include customer due diligence in the loan administration procedures. CC ID 16736	Leadership and high level objectives	Preventive
Assess the properties of the margin model used in the margin system. CC ID 16658	Leadership and high level objectives	Detective
Analyze the performance of the margin system. CC ID 16654	Leadership and high level objectives	Detective
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Preventive
Correct compliance violations. CC ID 13515 [{problem} Where services which a provider of information and communications services provides to users under a contract for use are used for transmitting advertising information for profits, in violation of Article 50 or 50-8, the relevant provider of information and communications services shall formulate necessary measures, such as refusal to provide the relevant services or fix of problmes of information and communications networks or services. Article 50-4(4)]	Monitoring and measurement	Corrective
Implement digital identification processes. CC ID 13731	Technical security	Preventive
Implement identity proofing processes. CC ID 13719	Technical security	Preventive
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Technical security	Preventive
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Technical security	Preventive
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Technical security	Detective
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Technical security	Preventive
Interact with the data subject when performing remote proofing. CC ID 13777	Technical security	Detective
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Technical security	Preventive
View all applicant actions when performing remote proofing. CC ID 13804	Technical security	Detective
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Technical security	Preventive
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Technical security	Detective
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Technical security	Detective
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Technical security	Preventive
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Technical security	Preventive
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Technical security	Detective
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Technical security	Preventive
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Technical security	Preventive
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Technical security	Detective
Validate proof of identity during the identity proofing process. CC ID 13756	Technical security	Detective
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Technical security	Detective
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Technical security	Detective
Allow records that relate to the data subject as proof of identity. CC ID 13772	Technical security	Preventive
Conduct in-person proofing with physical interactions. CC ID 13775	Technical security	Detective
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Technical security	Preventive
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Technical security	Preventive
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Technical security	Preventive
Refrain from approving attributes in the identity proofing process. CC ID 13716	Technical security	Preventive
Reperform the identity proofing process for each individual, as necessary. CC ID 13762	Technical security	Detective
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584	Technical security	Preventive
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585	Technical security	Preventive
Define the format of the biometric data on identification cards or badges. CC ID 06586	Technical security	Preventive
Remove malware when malicious code is discovered. CC ID 13691	Technical security	Corrective
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Preventive
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Preventive
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Physical and environmental protection	Preventive
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Physical and environmental protection	Preventive
Include all residences in the criminal records check. CC ID 13306	Human Resources management	Preventive
Include organizational values in the Code of Conduct. CC ID 12919	Human Resources management	Preventive
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Preventive
Review and approve access controls, as necessary. CC ID 13074	Operational management	Detective
Provide management direction and support for the information security program. CC ID 11999	Operational management	Preventive
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Preventive
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Preventive
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Preventive
Provide support for information sharing activities. CC ID 15644	Operational management	Preventive
Contain the incident to prevent further loss. CC ID 01751 [A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an abnormality found in the information system of a person who uses clustered information and communications facilities (hereinafter referred to as "user of facilities") will probably cause a serious trouble to the information system of other users of facilities or clustered information and communications facilities; Article 46-2(1)(1) A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an intrusion from outside will probably cause a serious trouble to the clustered information and communications facilities; Article 46-2(1)(2) {relevant authority}A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If there occurs a serious intrusion and the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency requests to suspend the services. Article 46-2(1)(3)]	Operational management	Corrective
Revoke the written request to delay the notification. CC ID 16843	Operational management	Preventive
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Preventive
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Preventive
Delete age-restricted content, as necessary. CC ID 15450 [A provider of information and communications services shall, if there is any unwholesome medium for juvenile published in violation of the labeling method under Article 42 in the information and communications network operated and managed by him or her or if a content advertising any unwholesome medium for juvenile is displayed in such network without any measures to restrict access by juvenile under Article 42-2, delete such content without delay. Article 44-2(3)]	Operational management	Preventive
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with an obscene content distributed, sold, rented, or displayed openly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within an unwholesome medium for juvenile under the Juvenile Protection Act and that is provided for profit without fulfilling the duties and obligations under relevant statutes, including the duty to verify the opposite party's age and the duty of labeling; Article 44-7(1)(5) {refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1]	Operational management	Preventive
Determine how long to keep records and logs before disposing them. CC ID 11661	Records management	Preventive
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Preventive
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Privacy protection for information and data	Detective
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Privacy protection for information and data	Preventive
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Privacy protection for information and data	Preventive
Provide the data subject with the data retention period for personal data. CC ID 12587 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4)]	Privacy protection for information and data	Preventive
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Privacy protection for information and data	Preventive
Provide the data subject with the adequacy decision. CC ID 12586	Privacy protection for information and data	Preventive
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Privacy protection for information and data	Preventive
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Privacy protection for information and data	Preventive
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Preventive
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Preventive
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Privacy protection for information and data	Preventive
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Privacy protection for information and data	Preventive
Align the enterprise architecture with the privacy plan. CC ID 14705	Privacy protection for information and data	Preventive
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Privacy protection for information and data	Preventive
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Preventive
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Privacy protection for information and data	Preventive
Allow data subjects to submit data requests. CC ID 16545	Privacy protection for information and data	Preventive
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Privacy protection for information and data	Preventive
Allow affected third parties to consent or object to a data access request. CC ID 08704	Privacy protection for information and data	Preventive
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Privacy protection for information and data	Preventive
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Privacy protection for information and data	Detective
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Privacy protection for information and data	Preventive
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Preventive
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Preventive
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Preventive
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Preventive
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Preventive
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Detective
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Preventive
Take appropriate action when a data leakage is discovered. CC ID 14716 [{relevant authority} Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, a provider, etc. of information and communications services shall take necessary measures such as deleting and blocking exposed personal information referred to in paragraph (1). Article 32-3(2) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)]	Privacy protection for information and data	Corrective
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Privacy protection for information and data	Preventive
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Privacy protection for information and data	Preventive
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Privacy protection for information and data	Preventive
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Preventive
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Preventive
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)]	Third Party and supply chain oversight	Detective
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838	Third Party and supply chain oversight	Preventive

Records Management

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Technical security	Preventive
Retain video events according to Records Management procedures. CC ID 06304	Physical and environmental protection	Preventive
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Preventive
Retain records in accordance with applicable requirements. CC ID 00968 [{be impossible} An information provider specified by Presidential Decree among those who engage in a business of providing unwholesome media for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in a way to make it impossible to store or record the unwholesome media in a user's computer shall keep relevant information. Article 43(1) Every provider of telecommunications billing services shall preserve records of telecommunications billing services during the period, within the limit of five years, prescribed by Presidential Decree. Article 58(4)]	Records management	Preventive
Compare each record's data input to its final form. CC ID 11813	Records management	Detective
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records management	Detective
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records management	Preventive
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Preventive
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Preventive
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Corrective
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Corrective
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Preventive
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Preventive
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Privacy protection for information and data	Preventive
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Preventive
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Preventive
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Corrective
Refrain from processing restricted data, as necessary. CC ID 12551 [{refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Preventive
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Privacy protection for information and data	Preventive
Include the data processor's contact information in the record of processing activities. CC ID 12657	Privacy protection for information and data	Preventive
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Privacy protection for information and data	Preventive
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Privacy protection for information and data	Preventive
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Privacy protection for information and data	Preventive
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Privacy protection for information and data	Preventive
Include the personal data processing categories in the record of processing activities. CC ID 12661	Privacy protection for information and data	Preventive
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Privacy protection for information and data	Preventive
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Privacy protection for information and data	Preventive
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Privacy protection for information and data	Preventive
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Privacy protection for information and data	Preventive
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Privacy protection for information and data	Preventive
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Privacy protection for information and data	Preventive
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Privacy protection for information and data	Preventive
Include the data controller's contact information in the record of processing activities. CC ID 12637	Privacy protection for information and data	Preventive
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Preventive
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Preventive
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{refrain from providing} No one shall be knowingly provided with any disclosed personal information for profit or any unlawful purpose. Article 28-2(2) {violate}{right} Every provider of information and communications services shall make efforts to prevent any information under paragraph (1) from being circulated through the information and communications network operated and managed by it. Article 44(2) {refrain from circulating}{violate} No user may circulate any information violative of other person's rights, including invasion of privacy and defamation, through an information and communications network. Article 44(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that defames other persons by divulging a fact, false fact, openly and purposely to disparage the person's reputation; Article 44-7(1)(2) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information regarding content of transactions of personal information in violation of this Act or other statutes concerning the protection of personal information; Article 44-7(1)(6-2) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Privacy protection for information and data	Preventive
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [{violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Privacy protection for information and data	Preventive
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Privacy protection for information and data	Preventive

Systems Continuity

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768	Third Party and supply chain oversight	Preventive

Systems Design, Build, and Implementation

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems design, build, and implementation	Preventive
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems design, build, and implementation	Preventive
Develop new products based on best practices. CC ID 01095	Systems design, build, and implementation	Preventive
Include security requirements in the system design specification. CC ID 06826 [{take into account} A provider of information and communications services shall, if he or she intends to newly establish an information and communications network or to provide information and communications services, take the matters regarding information protection into account in planning or designing thereof. Article 45-2(1)]	Systems design, build, and implementation	Preventive

Technical Security

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Control access rights to organizational assets. CC ID 00004	Technical security	Preventive
Establish access rights based on least privilege. CC ID 01411 [Every provider of information and communications services or similar shall restrict the persons who may manage users' C;" class="term_primary-noun">personal information to the minimum extent. Every provider of information and communications services or similar shall restrict the persons who may manage users' personal information to the minimum extent. Article 28(2)]	Technical security	Preventive
Assign user permissions based on job responsibilities. CC ID 00538	Technical security	Preventive
Assign user privileges after they have management sign off. CC ID 00542	Technical security	Preventive
Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Technical security	Preventive
Implement out-of-band authentication, as necessary. CC ID 10606	Technical security	Corrective
Identify and control all network access controls. CC ID 00529	Technical security	Preventive
Protect the firewall's network connection interfaces. CC ID 01955	Technical security	Preventive
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical security	Preventive
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical security	Preventive
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)]	Technical security	Preventive
Employ cryptographic controls that comply with applicable requirements. CC ID 12491	Technical security	Preventive
Make key usage for data fields unique for each device. CC ID 04828	Technical security	Preventive
Accept only trusted keys and/or certificates. CC ID 11988	Technical security	Preventive
Bind keys to each identity. CC ID 12337	Technical security	Preventive
Generate unique cryptographic keys for each user. CC ID 12169	Technical security	Preventive
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical security	Preventive
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical security	Preventive
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical security	Preventive
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical security	Preventive
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical security	Preventive
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical security	Preventive
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153	Technical security	Preventive
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154	Technical security	Preventive
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)]	Technical security	Preventive
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical security	Preventive
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical security	Preventive
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical security	Preventive
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical security	Preventive
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical security	Preventive
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical security	Preventive
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical security	Preventive
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical security	Preventive
Install and maintain container security solutions. CC ID 16178	Technical security	Preventive
Protect the system against replay attacks. CC ID 04552	Technical security	Preventive
Analyze the behavior and characteristics of the malicious code. CC ID 10672	Technical security	Detective
Incorporate the malicious code analysis into the patch management program. CC ID 10673	Technical security	Corrective
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Physical and environmental protection	Preventive
Secure unissued access mechanisms. CC ID 06713	Physical and environmental protection	Preventive
Change cipher lock codes, as necessary. CC ID 06651	Physical and environmental protection	Preventive
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Human Resources management	Corrective
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826	Human Resources management	Corrective
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Preventive
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Corrective
Refrain from accessing compromised systems. CC ID 01752	Operational management	Corrective
Isolate compromised systems from the network. CC ID 01753	Operational management	Corrective
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Corrective
Establish, implement, and maintain authenticators. CC ID 15305	System hardening through configuration management	Preventive
Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127	System hardening through configuration management	Preventive
Establish, implement, and maintain online storage controls. CC ID 00942	Records management	Preventive
Provide encryption for different types of electronic storage media. CC ID 00945 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)]	Records management	Preventive
Establish, implement, and maintain payment transaction security measures. CC ID 13088 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A plan for protection of users of telecommunications billing services; Article 53(1)(2) Every provider of telecommunications billing services shall perform his or her duty to pay attention as a good manager so that telecommunications billing services may be provided in a safe manner. Article 57(1)]	Acquisition or sale of facilities, technology, and services	Preventive
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Preventive
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Privacy protection for information and data	Preventive
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Preventive
Employ a random number generator to create authenticators. CC ID 13782	Privacy protection for information and data	Preventive
Provide unobservability of users and resources. CC ID 04551	Privacy protection for information and data	Preventive
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Preventive
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Preventive
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Preventive
Implement security measures to protect personal data. CC ID 13606 [The persons manufacturing and providing a basic operating system (referring to an operating environment in which softwares installed in mobile devices can be run) of mobile devices, the manufacturers of mobile devices, and the persons manufacturing and providing a software for mobile devices shall take measures necessary for protecting users' information, such as devising methods for users to give or revoke consent to access authority where the provider of information and communications services intends to access the information stored and functions installed in mobile devices. Article 22-2(3) Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Other protective measures necessary for securing safety of personal information. Article 28(1)(6) A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)]	Privacy protection for information and data	Preventive

Testing

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750	Leadership and high level objectives	Preventive
Test the collateral requirements for appropriateness. CC ID 16681	Leadership and high level objectives	Preventive
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644	Leadership and high level objectives	Preventive
Include stress scenarios in the stress test plan. CC ID 16659	Leadership and high level objectives	Preventive
Perform stress testing in accordance with the stress test plan. CC ID 16652	Leadership and high level objectives	Preventive
Validate the margin system on a regular basis. CC ID 16660	Leadership and high level objectives	Detective
Establish, implement, and maintain a system security plan. CC ID 01922 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)]	Monitoring and measurement	Preventive
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Detective
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Detective
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Detective
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Preventive
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Technical security	Detective
Test cryptographic key management applications, as necessary. CC ID 04829	Technical security	Detective
Implement non-repudiation for transactions. CC ID 00567	Technical security	Detective
Test all removable storage media for viruses and malicious code. CC ID 11861	Technical security	Detective
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Technical security	Detective
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Physical and environmental protection	Preventive
Implement operational requirements for card readers. CC ID 02225	Physical and environmental protection	Preventive
Test locks for physical security vulnerabilities. CC ID 04880	Physical and environmental protection	Detective
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Detective
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Detective
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782	Human Resources management	Detective
Perform a drug test during personnel screening. CC ID 06648	Human Resources management	Preventive
Conduct tests and evaluate training. CC ID 06672	Human Resources management	Detective
Maintain continued integrity for all stored data and stored records. CC ID 00969 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of ound-color:#F0BBBC;" class="term_primary-noun">access records; Article 28(1)(3)]	Records management	Detective
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Detective
Implement physical controls to protect personal data. CC ID 00355	Privacy protection for information and data	Preventive
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Detective
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Detective
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Privacy protection for information and data	Detective
Test the exit plan, as necessary. CC ID 15495	Third Party and supply chain oversight	Preventive
Include third party requirements for personnel security in third party contracts. CC ID 00790	Third Party and supply chain oversight	Detective
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364	Third Party and supply chain oversight	Detective
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Third Party and supply chain oversight	Detective
Establish the third party's service continuity. CC ID 00797	Third Party and supply chain oversight	Detective
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Third Party and supply chain oversight	Detective
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Third Party and supply chain oversight	Detective
Perform risk assessments of third parties, as necessary. CC ID 06454	Third Party and supply chain oversight	Detective

Training

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	CLASS
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Submit applications for professional certification. CC ID 16192	Human Resources management	Preventive
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Human Resources management	Detective
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Human Resources management	Preventive
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Human Resources management	Preventive
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Human Resources management	Detective
Develop or acquire content to update the training plans. CC ID 12867	Human Resources management	Preventive
Designate training facilities in the training plan. CC ID 16200	Human Resources management	Preventive
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Human Resources management	Preventive
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Human Resources management	Preventive
Include risk management in the training plan, as necessary. CC ID 13040	Human Resources management	Preventive
Conduct personal data processing training. CC ID 13757	Human Resources management	Preventive
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Human Resources management	Preventive
Include the cloud service usage standard in the training plan. CC ID 13039	Human Resources management	Preventive
Include media protection in the security awareness program. CC ID 16368	Human Resources management	Preventive
Include physical security in the security awareness program. CC ID 16369	Human Resources management	Preventive
Include updates on emerging issues in the security awareness program. CC ID 13184	Human Resources management	Preventive
Include cybersecurity in the security awareness program. CC ID 13183	Human Resources management	Preventive
Include implications of non-compliance in the security awareness program. CC ID 16425	Human Resources management	Preventive
Include the acceptable use policy in the security awareness program. CC ID 15487	Human Resources management	Preventive
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Preventive
Conduct tampering prevention training. CC ID 11875	Human Resources management	Preventive
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Human Resources management	Preventive
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Human Resources management	Preventive
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Human Resources management	Preventive
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Human Resources management	Preventive
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Human Resources management	Preventive
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Human Resources management	Preventive

Common Controls and
mandates by Classification 190 Mandated Controls - bold
114 Implied Controls - italic 2101 Implementation

Number of Controls

2405 Total

Corrective

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Correct compliance violations. CC ID 13515 [{problem} Where services which a provider of information and communications services provides to users under a contract for use are used for transmitting advertising information for profits, in violation of Article 50 or 50-8, the relevant provider of information and communications services shall formulate necessary measures, such as refusal to provide the relevant services or fix of problmes of information and communications networks or services. Article 50-4(4)]	Monitoring and measurement	Process or Activity
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)]	Audits and risk management	Establish/Maintain Documentation
Implement out-of-band authentication, as necessary. CC ID 10606	Technical security	Technical Security
Disseminate and communicate the access control procedures to all interested personnel and affected parties. CC ID 14123	Technical security	Communicate
Quarantine data that fails security tests. CC ID 16500	Technical security	Data and Information Management
Revoke old cryptographic keys or invalid cryptographic keys immediately. CC ID 01307	Technical security	Data and Information Management
Replace known or suspected compromised cryptographic keys immediately. CC ID 01306	Technical security	Data and Information Management
Remove malware when malicious code is discovered. CC ID 13691	Technical security	Process or Activity
Notify interested personnel and affected parties when malware is detected. CC ID 13689	Technical security	Communicate
Establish, implement, and maintain a malicious code outbreak recovery plan. CC ID 01310	Technical security	Establish/Maintain Documentation
Incorporate the malicious code analysis into the patch management program. CC ID 10673	Technical security	Technical Security
Change access requirements to organizational assets for personnel and visitors, as necessary. CC ID 12463	Physical and environmental protection	Physical and Environmental Protection
Document all lost badges in a lost badge list. CC ID 12448	Physical and environmental protection	Establish/Maintain Documentation
Terminate user accounts when notified that an individual is terminated. CC ID 11614	Human Resources management	Technical Security
Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826	Human Resources management	Technical Security
Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309	Human Resources management	Data and Information Management
Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692	Human Resources management	Human Resources Management
Conduct secure coding and development training for developers. CC ID 06822	Human Resources management	Behavior
Implement a sanctions process for personnel who fail to comply to the organizational compliance program. CC ID 01442	Human Resources management	Behavior
Measure policy compliance when reviewing the internal control framework. CC ID 06442	Operational management	Actionable Reports or Measurements
Update operating procedures that contribute to user errors. CC ID 06935	Operational management	Establish/Maintain Documentation
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296	Operational management	Establish/Maintain Documentation
Contain the incident to prevent further loss. CC ID 01751 [A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an abnormality found in the information system of a person who uses clustered information and communications facilities (hereinafter referred to as "user of facilities") will probably cause a serious trouble to the information system of other users of facilities or clustered information and communications facilities; Article 46-2(1)(1) A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If it is anticipated that an intrusion from outside will probably cause a serious trouble to the clustered information and communications facilities; Article 46-2(1)(2) {relevant authority}A business operator of clustered information and communications facilities may, if any of the following events occurs, suspend rendering relevant services, in whole or in part, as stipulated in the standardized user agreement: If there occurs a serious intrusion and the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency requests to suspend the services. Article 46-2(1)(3)]	Operational management	Process or Activity
Wipe data and memory after an incident has been detected. CC ID 16850	Operational management	Technical Security
Refrain from accessing compromised systems. CC ID 01752	Operational management	Technical Security
Isolate compromised systems from the network. CC ID 01753	Operational management	Technical Security
Store system logs for in scope systems as digital forensic evidence after a security incident has been detected. CC ID 01754	Operational management	Log Management
Change authenticators after a security incident has been detected. CC ID 06789	Operational management	Technical Security
Share incident information with interested personnel and affected parties. CC ID 01212 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Operational management	Data and Information Management
Share data loss event information with the media. CC ID 01759	Operational management	Behavior
Share data loss event information with interconnected system owners. CC ID 01209	Operational management	Establish/Maintain Documentation
Report data loss event information to breach notification organizations. CC ID 01210 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5) {relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4) {relevant authority} A person falling under any of the following subparagraphs shall, where he or she discovers an intrusion, immediately report it to the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency. In such cases, a notice given in accordance with Article 13 (1) of the Act on the Protection of Information and Communications Infrastructure shall be deemed a report under the foregoing sentence: Article 48-3(1) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)]	Operational management	Data and Information Management
Report to breach notification organizations the time frame in which the organization will send data loss event notifications to interested personnel and affected parties. CC ID 04731	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00365 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)]	Operational management	Behavior
Delay sending incident response notifications under predetermined conditions. CC ID 00804	Operational management	Behavior
Establish, implement, and maintain incident response notifications. CC ID 12975	Operational management	Establish/Maintain Documentation
Provide enrollment information for identity theft prevention services or identity theft mitigation services. CC ID 13767	Operational management	Communicate
Offer identity theft prevention services or identity theft mitigation services at no cost to the affected parties. CC ID 13766	Operational management	Business Processes
Send paper incident response notifications to affected parties, as necessary. CC ID 00366	Operational management	Behavior
Determine if a substitute incident response notification is permitted if notifying affected parties. CC ID 00803	Operational management	Behavior
Use a substitute incident response notification to notify interested personnel and affected parties of the privacy breach that affects their personal data. CC ID 00368	Operational management	Behavior
Telephone incident response notifications to affected parties, as necessary. CC ID 04650	Operational management	Behavior
Publish the incident response notification in a general circulation periodical. CC ID 04651	Operational management	Behavior
Send electronic incident response notifications to affected parties, as necessary. CC ID 00367	Operational management	Behavior
Notify interested personnel and affected parties of the privacy breach about any recovered restricted data. CC ID 13347	Operational management	Communicate
Change the authenticator for shared accounts when the group membership changes. CC ID 14249	System hardening through configuration management	Business Processes
Correct billing and settlement errors. CC ID 08623 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)]	Acquisition or sale of facilities, technology, and services	Business Processes
Document any reasons acknowledgment of the privacy notice was not received. CC ID 14434	Privacy protection for information and data	Establish/Maintain Documentation
Amend education records within a reasonable period after receiving a record amendment request. CC ID 12998	Privacy protection for information and data	Records Management
Decide whether to amend education records based on evidence presented during a hearing. CC ID 13020	Privacy protection for information and data	Records Management
Remove certification marks of privacy programs the organization is no longer a member of from the privacy policy. CC ID 12368	Privacy protection for information and data	Establish/Maintain Documentation
Remove any privacy programs the organization is not a member of from the privacy policy. CC ID 12367	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate private communications when required by law. CC ID 14335	Privacy protection for information and data	Communicate
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675	Privacy protection for information and data	Communicate
Allow authorized individuals to authenticate record entries containing personal data. CC ID 11812	Privacy protection for information and data	Records Management
Notify the subject of care when a lack of availability of health information systems might have adversely affected their care. CC ID 13990	Privacy protection for information and data	Communicate
Refrain from disseminating and communicating with individuals that have opted out of direct marketing communications. CC ID 13708 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to avoid or interfere with an addressee's refusal to receive or revocation of his or her consent to receive advertising information; Article 50(5)(1) {refrain from transmitting} Notwithstanding paragraph (1), where an addressee expresses his or her intention to refuse to receive information or revokes his or her prior consent, no person who intends to transmit advertising information for profit by using an electronic transmission medium shall transmit advertising information for profit. Article 50(2) A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If a user does not want to receive advertising information; Article 50-4(1)(2)]	Privacy protection for information and data	Communicate
Refrain from disclosing a security breach if an investigation concludes none has occurred. CC ID 13086	Privacy protection for information and data	Communicate
Notify the data subject when personal data has been inadvertently disclosed. CC ID 13989	Privacy protection for information and data	Communicate
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875	Privacy protection for information and data	Monitor and Evaluate Occurrences
Take appropriate action when a data leakage is discovered. CC ID 14716 [{relevant authority} Upon the request of the Korea Communications Commission or the Korea Internet and Security Agency, a provider, etc. of information and communications services shall take necessary measures such as deleting and blocking exposed personal information referred to in paragraph (1). Article 32-3(2) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)]	Privacy protection for information and data	Process or Activity
Implement procedures to file privacy rights violation complaints. CC ID 00476 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Privacy protection for information and data	Data and Information Management
File privacy rights violation complaints in writing. CC ID 00477	Privacy protection for information and data	Establish/Maintain Documentation
Include the acts or omissions that are in violation of privacy rights in the privacy rights violation complaint. CC ID 14360	Privacy protection for information and data	Establish/Maintain Documentation
Provide assistance to data subjects for filing privacy rights violation complaints. CC ID 00478	Privacy protection for information and data	Behavior
File privacy rights violation complaints inside the mandate stipulated from the refusal. CC ID 00479	Privacy protection for information and data	Behavior
Change or destroy any personal data that is incorrect. CC ID 00462 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Data and Information Management
Notify the data subject of changes made to personal data as the result of a dispute. CC ID 00463 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Privacy protection for information and data	Behavior
Escalate the appeal process to change personal data when the data controller fails to make changes to the disputed data. CC ID 00465	Privacy protection for information and data	Data and Information Management
Notify the data subject of which and why disputed changes were not made to personal data. CC ID 00466 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Behavior
Notify entities to whom personal data was transferred that the personal data is wrong, along with the corrections. CC ID 00467	Privacy protection for information and data	Behavior
Order the cessation of data processing when a violation of the privacy policy is detected. CC ID 00475	Privacy protection for information and data	Data and Information Management
Cooperate with authorities during a privacy rights violation complaint investigation. CC ID 14364	Privacy protection for information and data	Business Processes
Notify respondents after a privacy rights violation complaint investigation has been resolved. CC ID 13513	Privacy protection for information and data	Communicate
Create an investigative report in regards to a privacy rights violation complaint. CC ID 00495	Privacy protection for information and data	Establish/Maintain Documentation
Respond to an investigative report in regards to a privacy rights violation complaint. CC ID 00496	Privacy protection for information and data	Behavior
Order the organization to change to be in compliance with applicable law. CC ID 00499	Privacy protection for information and data	Behavior
Order the organization to publish a notice with the corrections or actions taken. CC ID 00500	Privacy protection for information and data	Behavior
Award damages based on applicable law. CC ID 00501 [A provider of telecommunications billing services shall negotiate with the claimant to damages for agreement on compensation for the damages under paragraph (1). Article 60(2)]	Privacy protection for information and data	Behavior
Destroy personal data that breaches privacy after the privacy breach has been detected. CC ID 00503	Privacy protection for information and data	Data and Information Management
Terminate supplier relationships, as necessary. CC ID 13489 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)]	Third Party and supply chain oversight	Business Processes
Enforce third party Service Level Agreements, as necessary. CC ID 07098	Third Party and supply chain oversight	Business Processes

Detective

144

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757	Leadership and high level objectives	Investigate
Verify all required information is attached to each funds transfer. CC ID 16755	Leadership and high level objectives	Business Processes
Analyze the effectiveness of the stress test plan. CC ID 16657	Leadership and high level objectives	Process or Activity
Validate the margin system on a regular basis. CC ID 16660	Leadership and high level objectives	Testing
Assess the properties of the margin model used in the margin system. CC ID 16658	Leadership and high level objectives	Process or Activity
Monitor the performance of the margin system. CC ID 16655	Leadership and high level objectives	Monitor and Evaluate Occurrences
Analyze the performance of the margin system. CC ID 16654	Leadership and high level objectives	Process or Activity
Determine the amount of assets to be held in escrow. CC ID 16575	Leadership and high level objectives	Investigate
Establish, implement, and maintain logging and monitoring operations. CC ID 00637	Monitoring and measurement	Log Management
Adhere to the system security plan. CC ID 11640	Monitoring and measurement	Testing
Validate all testing assumptions in the test plans. CC ID 00663	Monitoring and measurement	Testing
Require testing procedures to be complete. CC ID 00664	Monitoring and measurement	Testing
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726	Monitoring and measurement	Monitor and Evaluate Occurrences
Establish, implement, and maintain a corrective action plan. CC ID 00675 [Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of the provider, etc. of information and communications services: Provided, That the provisions concerning reporting of measures for improvement shall not apply where the business owner or representative is the person responsible for protection of personal information pursuant to paragraph (2). Article 27(4)]	Monitoring and measurement	Monitor and Evaluate Occurrences
Include monitoring in the corrective action plan. CC ID 11645	Monitoring and measurement	Monitor and Evaluate Occurrences
Refrain from performing identity proofing as a means of providing access to systems or services. CC ID 13776	Technical security	Process or Activity
Interact with the data subject when performing remote proofing. CC ID 13777	Technical security	Process or Activity
View all applicant actions when performing remote proofing. CC ID 13804	Technical security	Process or Activity
Verify transaction history as part of the knowledge-based authentication questions during the identity proofing process. CC ID 13755	Technical security	Process or Activity
Base the knowledge-based authentication for the identity proofing process on authoritative sources. CC ID 13743	Technical security	Process or Activity
Refrain from revealing the data subject's personal data in knowledge-based authentication questions for the identity proofing process. CC ID 13774	Technical security	Process or Activity
Refrain from using diversionary knowledge-based authentication questions during the identity proofing processes. CC ID 13744	Technical security	Process or Activity
Validate proof of identity during the identity proofing process. CC ID 13756	Technical security	Process or Activity
Allow biometric authentication for proof of identity during the identity proofing process. CC ID 13797	Technical security	Business Processes
Inspect for the presence of man-made materials when performing biometric authentication during the identity proofing process. CC ID 13803	Technical security	Process or Activity
Verify proof of identity records. CC ID 13761	Technical security	Investigate
Refrain from using knowledge-based authentication to verify an individual's identity against more than one proof of identity during the identity proofing process. CC ID 13784	Technical security	Process or Activity
Conduct in-person proofing with physical interactions. CC ID 13775	Technical security	Process or Activity
Reperform the identity proofing process for each individual, as necessary. CC ID 13762	Technical security	Process or Activity
Configure security alerts in firewalls to include the source Internet protocol address and destination Internet protocol address associated with long sessions. CC ID 12174	Technical security	Configuration
Configure firewalls to perform dynamic packet filtering. CC ID 01288	Technical security	Testing
Configure network access and control points to organizational standards. CC ID 12442	Technical security	Configuration
Test cryptographic key management applications, as necessary. CC ID 04829	Technical security	Testing
Implement non-repudiation for transactions. CC ID 00567	Technical security	Testing
Scan for malicious code, as necessary. CC ID 11941	Technical security	Investigate
Test all removable storage media for viruses and malicious code. CC ID 11861	Technical security	Testing
Test all untrusted files or unverified files for viruses and malicious code. CC ID 01311	Technical security	Testing
Log and react to all malicious code activity. CC ID 07072	Technical security	Monitor and Evaluate Occurrences
Analyze the behavior and characteristics of the malicious code. CC ID 10672	Technical security	Technical Security
Inspect telephones for eavesdropping devices. CC ID 02223	Physical and environmental protection	Physical and Environmental Protection
Detect anomalies in physical barriers. CC ID 13533	Physical and environmental protection	Investigate
Secure physical entry points with physical access controls or security guards. CC ID 01640	Physical and environmental protection	Physical and Environmental Protection
Test locks for physical security vulnerabilities. CC ID 04880	Physical and environmental protection	Testing
Lock all lockable equipment cabinets. CC ID 11673	Physical and environmental protection	Physical and Environmental Protection
Monitor for unauthorized physical access at physical entry points and physical exit points. CC ID 01638	Physical and environmental protection	Monitor and Evaluate Occurrences
Report anomalies in the visitor log to appropriate personnel. CC ID 14755	Physical and environmental protection	Investigate
Log when the vault is accessed. CC ID 06725	Physical and environmental protection	Log Management
Log when the cabinet is accessed. CC ID 11674	Physical and environmental protection	Log Management
Observe restricted areas with motion detectors or closed-circuit television systems. CC ID 01328	Physical and environmental protection	Monitor and Evaluate Occurrences
Review and correlate all data collected from video cameras and/or access control mechanisms with other entries. CC ID 11609	Physical and environmental protection	Monitor and Evaluate Occurrences
Monitor physical entry point alarms. CC ID 01639	Physical and environmental protection	Physical and Environmental Protection
Evaluate and react to when unauthorized access is detected by physical entry point alarms. CC ID 11677	Physical and environmental protection	Monitor and Evaluate Occurrences
Monitor for alarmed security doors being propped open. CC ID 06684	Physical and environmental protection	Monitor and Evaluate Occurrences
Determine the cause for the activation of the recovery plan. CC ID 13291	Operational and Systems Continuity	Investigate
Test the recovery plan, as necessary. CC ID 13290	Operational and Systems Continuity	Testing
Test the backup information, as necessary. CC ID 13303	Operational and Systems Continuity	Testing
Document lessons learned from testing the recovery plan or an actual event. CC ID 13301	Operational and Systems Continuity	Establish/Maintain Documentation
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782	Human Resources management	Testing
Perform security skills assessments for all critical employees. CC ID 12102	Human Resources management	Human Resources Management
Perform a background check during personnel screening. CC ID 11758	Human Resources management	Human Resources Management
Document the personnel risk assessment results. CC ID 11764	Human Resources management	Establish/Maintain Documentation
Perform periodic background checks on designated roles, as necessary. CC ID 11759	Human Resources management	Human Resources Management
Document the security clearance procedure results. CC ID 01635	Human Resources management	Establish/Maintain Documentation
Identify and watch individuals that pose a risk to the organization. CC ID 10674	Human Resources management	Monitor and Evaluate Occurrences
Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449	Human Resources management	Human Resources Management
Document all training in a training record. CC ID 01423	Human Resources management	Establish/Maintain Documentation
Conduct tests and evaluate training. CC ID 06672	Human Resources management	Testing
Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383	Human Resources management	Training
Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385	Human Resources management	Training
Monitor and measure the effectiveness of security awareness. CC ID 06262	Human Resources management	Monitor and Evaluate Occurrences
Analyze and evaluate training records to improve the training program. CC ID 06380	Human Resources management	Monitor and Evaluate Occurrences
Include the legal intellectual property responsibilities in the Code of Conduct. CC ID 04898	Human Resources management	Establish/Maintain Documentation
Review the relevance of information supporting internal controls. CC ID 12420	Operational management	Business Processes
Include emergency response procedures in the internal control framework. CC ID 06779	Operational management	Establish/Maintain Documentation
Review and approve access controls, as necessary. CC ID 13074	Operational management	Process or Activity
Perform social network analysis, as necessary. CC ID 14864	Operational management	Investigate
Refrain from turning on any in scope devices that are turned off when a security incident is detected. CC ID 08677	Operational management	Investigate
Include where the digital forensic evidence was found in the forensic investigation report. CC ID 08674	Operational management	Establish/Maintain Documentation
Include the condition of the digital forensic evidence in the forensic investigation report. CC ID 08678	Operational management	Establish/Maintain Documentation
Submit an incident management audit log to the proper authorities for each security breach that affects a predefined number of individuals, as necessary. CC ID 06326	Operational management	Log Management
Determine whether or not incident response notifications are necessary during the privacy breach investigation. CC ID 00801	Operational management	Behavior
Avoid false positive incident response notifications. CC ID 04732	Operational management	Behavior
Include information required by law in incident response notifications. CC ID 00802	Operational management	Establish/Maintain Documentation
Include how the affected parties can protect themselves from identity theft in incident response notifications. CC ID 04738	Operational management	Establish/Maintain Documentation
Analyze and respond to security alerts. CC ID 12504 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)]	Operational management	Business Processes
Ensure the root account is the first entry in password files. CC ID 16323	System hardening through configuration management	Data and Information Management
Define each system's preservation requirements for records and logs. CC ID 00904	Records management	Establish/Maintain Documentation
Establish, implement, and maintain a data retention program. CC ID 00906	Records management	Establish/Maintain Documentation
Maintain continued integrity for all stored data and stored records. CC ID 00969 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of ound-color:#F0BBBC;" class="term_primary-noun">access records; Article 28(1)(3)]	Records management	Testing
Compare each record's data input to its final form. CC ID 11813	Records management	Records Management
Label printed output for specific record categories as directed by the organization's information classification standard. CC ID 01420	Records management	Records Management
Include anti-tamper technologies and anti-tamper techniques in the system design specification. CC ID 10639	Systems design, build, and implementation	Monitor and Evaluate Occurrences
Require a data protection impact assessment when profiling the data subject. CC ID 12680	Privacy protection for information and data	Process or Activity
Document privacy policies in clearly written and easily understood language. CC ID 00376	Privacy protection for information and data	Establish/Maintain Documentation
Notify the individual of the reasons for delays in responding to data access requests. CC ID 00422	Privacy protection for information and data	Behavior
Notify the individual when a cost is imposed which must be paid in advance to gain access. CC ID 00423	Privacy protection for information and data	Behavior
Refrain from erasing personal data upon data subject request when it is being used for incident detection. CC ID 13778	Privacy protection for information and data	Process or Activity
Analyze requirements for processing personal data in contracts. CC ID 12550	Privacy protection for information and data	Investigate
Disclose personal data when the data subject has consented and has the ability to opt out. CC ID 00158	Privacy protection for information and data	Data and Information Management
Disclose restricted data for judicial decisions, lawsuits, and investigations only after the data controller includes a note of the disclosure in the record. CC ID 00162	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is for the state's economic interest as a reason for denial in the personal data request denial procedures. CC ID 00446	Privacy protection for information and data	Data and Information Management
Determine the financial impact for the unauthorized disclosure of privacy-related data and privacy-related information. CC ID 06488	Privacy protection for information and data	Business Processes
Confirm the data quality of personal data collected from third parties. CC ID 13510	Privacy protection for information and data	Investigate
Review the methods for collecting personal data, as necessary. CC ID 13511	Privacy protection for information and data	Investigate
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757	Privacy protection for information and data	Testing
Conduct personal data risk assessments. CC ID 00357	Privacy protection for information and data	Testing
Establish, implement, and maintain suspicious document procedures. CC ID 04852	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853	Privacy protection for information and data	Data and Information Management
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854	Privacy protection for information and data	Monitor and Evaluate Occurrences
Perform an identity check prior to approving an account change request. CC ID 13670	Privacy protection for information and data	Investigate
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857	Privacy protection for information and data	Behavior
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873	Privacy protection for information and data	Data and Information Management
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874	Privacy protection for information and data	Log Management
Log dates for account name changes or address changes. CC ID 04876	Privacy protection for information and data	Log Management
Review accounts that are changed for additional user requests. CC ID 11846	Privacy protection for information and data	Monitor and Evaluate Occurrences
Send change notices for change of address requests to the old address and the new address. CC ID 04877	Privacy protection for information and data	Data and Information Management
Search the Internet for evidence of data leakage. CC ID 10419	Privacy protection for information and data	Process or Activity
Review monitored websites for data leakage. CC ID 10593	Privacy protection for information and data	Monitor and Evaluate Occurrences
Conduct internal data processing audits. CC ID 00374	Privacy protection for information and data	Testing
Review compliance with the organization's privacy objectives. CC ID 13490	Privacy protection for information and data	Human Resources Management
Investigate privacy rights violation complaints. CC ID 00480	Privacy protection for information and data	Behavior
Notify respondents after a privacy rights violation complaint investigation begins. CC ID 00491	Privacy protection for information and data	Behavior
Investigate privacy rights violation complaints in private. CC ID 00492	Privacy protection for information and data	Behavior
Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints. CC ID 00493	Privacy protection for information and data	Behavior
Allow the complainant to appear before the commissioner and make a submission, orally or in writing, about the privacy rights violation complaint investigation prior to an adverse decision to the complainant is reached. CC ID 00494	Privacy protection for information and data	Behavior
Define the available administrative remedies in regards to a privacy rights violation complaint. CC ID 00497 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from subjecting individuals to retaliation or intimidation after a complaint is created. CC ID 06218	Privacy protection for information and data	Testing
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 [{refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)]	Third Party and supply chain oversight	Process or Activity
Include a termination provision clause in third party contracts. CC ID 01367 [If a provider of information and communications services intends to take any measure for refusal under paragraph (1) or (4), he or she shall include matters concerning the refusal of the relevant services in the terms and conditions of a contract for use of information and communications services which he or she concludes with the user of such services. Article 50-4(2)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party requirements for personnel security in third party contracts. CC ID 00790	Third Party and supply chain oversight	Testing
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364	Third Party and supply chain oversight	Testing
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366	Third Party and supply chain oversight	Testing
Establish the third party's service continuity. CC ID 00797	Third Party and supply chain oversight	Testing
Determine the adequacy of a third party's alternate site preparations. CC ID 06879	Third Party and supply chain oversight	Testing
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264	Third Party and supply chain oversight	Data and Information Management
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087	Third Party and supply chain oversight	Testing
Document supply chain dependencies in the supply chain management program. CC ID 08900	Third Party and supply chain oversight	Establish/Maintain Documentation
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842	Third Party and supply chain oversight	Establish/Maintain Documentation
Approve all Service Level Agreements. CC ID 00843	Third Party and supply chain oversight	Establish/Maintain Documentation
Track all chargeable items in Service Level Agreements. CC ID 11616	Third Party and supply chain oversight	Business Processes
Document all chargeable items in Service Level Agreements. CC ID 00844	Third Party and supply chain oversight	Establish/Maintain Documentation
Perform risk assessments of third parties, as necessary. CC ID 06454	Third Party and supply chain oversight	Testing
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158	Third Party and supply chain oversight	Audits and Risk Management

IT Impact Zone

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Leadership and high level objectives CC ID 00597	Leadership and high level objectives	IT Impact Zone
Monitoring and measurement CC ID 00636	Monitoring and measurement	IT Impact Zone
Audits and risk management CC ID 00677	Audits and risk management	IT Impact Zone
Technical security CC ID 00508	Technical security	IT Impact Zone
Physical and environmental protection CC ID 00709	Physical and environmental protection	IT Impact Zone
Operational and Systems Continuity CC ID 00731	Operational and Systems Continuity	IT Impact Zone
Human Resources management CC ID 00763	Human Resources management	IT Impact Zone
Operational management CC ID 00805	Operational management	IT Impact Zone
System hardening through configuration management CC ID 00860	System hardening through configuration management	IT Impact Zone
Records management CC ID 00902	Records management	IT Impact Zone
Systems design, build, and implementation CC ID 00989	Systems design, build, and implementation	IT Impact Zone
Acquisition or sale of facilities, technology, and services CC ID 01123	Acquisition or sale of facilities, technology, and services	IT Impact Zone
Privacy protection for information and data CC ID 00008	Privacy protection for information and data	IT Impact Zone
Third Party and supply chain oversight CC ID 08807	Third Party and supply chain oversight	IT Impact Zone

Preventive

2165

Mandated - bold Implied - italic Implementation - regular	IMPACT ZONE	TYPE
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term
Establish, implement, and maintain a reporting methodology program. CC ID 02072	Leadership and high level objectives	Business Processes
Establish, implement, and maintain an external reporting program. CC ID 12876 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1)]	Leadership and high level objectives	Communicate
Provide identifying information about the organization to the responsible party. CC ID 16715	Leadership and high level objectives	Communicate
Identify the material topics required to be reported on. CC ID 15654	Leadership and high level objectives	Business Processes
Check the list of material topics for completeness. CC ID 15692	Leadership and high level objectives	Investigate
Prioritize material topics used in reporting. CC ID 15678	Leadership and high level objectives	Communicate
Review and approve the material topics, as necessary. CC ID 15670	Leadership and high level objectives	Process or Activity
Define the thresholds for reporting in the external reporting program. CC ID 15679	Leadership and high level objectives	Establish/Maintain Documentation
Include time requirements in the external reporting program. CC ID 16566	Leadership and high level objectives	Communicate
Include information about the organizational culture in the external reporting program. CC ID 15610	Leadership and high level objectives	Establish/Maintain Documentation
Include reporting to governing bodies in the external reporting plan. CC ID 12923 [{relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)]	Leadership and high level objectives	Communicate
Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592	Leadership and high level objectives	Communicate
Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594	Leadership and high level objectives	Establish/Maintain Documentation
Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595	Leadership and high level objectives	Establish/Maintain Documentation
Include the information that was omitted in the confidential treatment application. CC ID 16593	Leadership and high level objectives	Establish/Maintain Documentation
Analyze organizational objectives, functions, and activities. CC ID 00598	Leadership and high level objectives	Monitor and Evaluate Occurrences
Establish, implement, and maintain organizational objectives. CC ID 09959 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A business plan. Article 53(1)(4)]	Leadership and high level objectives	Establish/Maintain Documentation
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814	Leadership and high level objectives	Process or Activity
Identify events that may affect organizational objectives. CC ID 12961	Leadership and high level objectives	Process or Activity
Identify conditions that may affect organizational objectives. CC ID 12958	Leadership and high level objectives	Process or Activity
Identify requirements that could affect achieving organizational objectives. CC ID 12828	Leadership and high level objectives	Business Processes
Identify opportunities that could affect achieving organizational objectives. CC ID 12826	Leadership and high level objectives	Business Processes
Prioritize organizational objectives. CC ID 09960	Leadership and high level objectives	Business Processes
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400	Leadership and high level objectives	Business Processes
Establish, implement, and maintain a value generation model. CC ID 15591	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607	Leadership and high level objectives	Communicate
Include value distribution in the value generation model. CC ID 15603	Leadership and high level objectives	Establish/Maintain Documentation
Include value retention in the value generation model. CC ID 15600	Leadership and high level objectives	Establish/Maintain Documentation
Include value generation procedures in the value generation model. CC ID 15599	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain value generation objectives. CC ID 15583	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain social responsibility objectives. CC ID 15611	Leadership and high level objectives	Establish/Maintain Documentation
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783	Leadership and high level objectives	Establish/Maintain Documentation
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839	Leadership and high level objectives	Establish/Maintain Documentation
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838	Leadership and high level objectives	Establish/Maintain Documentation
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808	Leadership and high level objectives	Establish/Maintain Documentation
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807	Leadership and high level objectives	Establish/Maintain Documentation
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590	Leadership and high level objectives	Establish/Maintain Documentation
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605	Leadership and high level objectives	Establish/Maintain Documentation
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585	Leadership and high level objectives	Communicate
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191	Leadership and high level objectives	Communicate
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398	Leadership and high level objectives	Establish/Maintain Documentation
Identify threats that could affect achieving organizational objectives. CC ID 12827	Leadership and high level objectives	Business Processes
Identify how opportunities, threats, and external requirements are trending. CC ID 12829	Leadership and high level objectives	Process or Activity
Identify relationships between opportunities, threats, and external requirements. CC ID 12805	Leadership and high level objectives	Process or Activity
Review the organization's approach to managing information security, as necessary. CC ID 12005	Leadership and high level objectives	Business Processes
Establish, implement, and maintain a financial management program. CC ID 13228 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Financial soundness; Article 53(1)(1)]	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain funds transfer procedures. CC ID 16754	Leadership and high level objectives	Establish/Maintain Documentation
Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761	Leadership and high level objectives	Communicate
Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760	Leadership and high level objectives	Business Processes
Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759	Leadership and high level objectives	Business Processes
Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758	Leadership and high level objectives	Business Processes
Attach the required information to each funds transfer. CC ID 16756	Leadership and high level objectives	Business Processes
Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738	Leadership and high level objectives	Business Processes
Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750	Leadership and high level objectives	Testing
Include communication protocols in the financial management program. CC ID 16763	Leadership and high level objectives	Establish/Maintain Documentation
Include ongoing monitoring in the financial management program. CC ID 16762	Leadership and high level objectives	Process or Activity
Employ tools to manage settlement and funding flows. CC ID 16743	Leadership and high level objectives	Process or Activity
Refrain from setting up anonymous financial accounts. CC ID 16721	Leadership and high level objectives	Business Processes
Identify and maintain positions in financial accounts. CC ID 16751	Leadership and high level objectives	Business Processes
Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717	Leadership and high level objectives	Establish/Maintain Documentation
Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a subsidiary compliance program. CC ID 16694	Leadership and high level objectives	Process or Activity
Establish, implement, and maintain financial resource management procedures. CC ID 16642	Leadership and high level objectives	Establish/Maintain Documentation
Document the rationale for the amount of financial resources being held. CC ID 16688	Leadership and high level objectives	Establish/Maintain Documentation
Supplement financial resources, as necessary. CC ID 16685	Leadership and high level objectives	Business Processes
Establish, implement, and maintain collateral procedures. CC ID 16653	Leadership and high level objectives	Establish/Maintain Documentation
Include the use of appropriate models in the collateral procedures. CC ID 16687	Leadership and high level objectives	Establish/Maintain Documentation
Define the collateral requirements in the collateral procedures. CC ID 16686	Leadership and high level objectives	Establish/Maintain Documentation
Test the collateral requirements for appropriateness. CC ID 16681	Leadership and high level objectives	Testing
Limit the types of assets accepted as collateral. CC ID 16602	Leadership and high level objectives	Business Processes
Avoid the use of concentrated holdings of assets. CC ID 16651	Leadership and high level objectives	Business Processes
Establish, implement, and maintain stress test plans for financial resources. CC ID 16644	Leadership and high level objectives	Testing
Include stress scenarios in the stress test plan. CC ID 16659	Leadership and high level objectives	Testing
Perform stress testing in accordance with the stress test plan. CC ID 16652	Leadership and high level objectives	Testing
Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630	Leadership and high level objectives	Communicate
Identify and document the financial resources available for use. CC ID 16643	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain credit loss procedures. CC ID 16683	Leadership and high level objectives	Establish/Maintain Documentation
Include the allocation of credit losses in the credit loss procedures. CC ID 16684	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a securities trading program. CC ID 16626	Leadership and high level objectives	Business Processes
Include fairness and equitability standards in the securities trading program. CC ID 16690	Leadership and high level objectives	Establish/Maintain Documentation
Include roles and responsibilities in the securities trading program. CC ID 16689	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a capital restoration plan. CC ID 16613	Leadership and high level objectives	Establish/Maintain Documentation
Include performance guarantees in the capital restoration plan. CC ID 16616	Leadership and high level objectives	Establish/Maintain Documentation
Include corrective actions taken in the capital restoration plan. CC ID 16612	Leadership and high level objectives	Establish/Maintain Documentation
Include required information in the capital restoration plan. CC ID 16609	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain valuation procedures. CC ID 16634	Leadership and high level objectives	Establish/Maintain Documentation
Include investment information in approval requests for investments. CC ID 16590	Leadership and high level objectives	Business Processes
Establish, implement, and maintain capital withdrawal requirements. CC ID 16576	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain lending policies. CC ID 16608	Leadership and high level objectives	Establish/Maintain Documentation
Align the lending policy with the organization's risk acceptance level. CC ID 16716	Leadership and high level objectives	Process or Activity
Include the requirements for risk assessments in the lending policy. CC ID 16730	Leadership and high level objectives	Establish/Maintain Documentation
Include the requirements for sensitivity analyses in the lending policy. CC ID 16728	Leadership and high level objectives	Establish/Maintain Documentation
Include the requirements for feasibility studies in the lending policy. CC ID 16726	Leadership and high level objectives	Establish/Maintain Documentation
Include pricing structures in the lending policy. CC ID 16724	Leadership and high level objectives	Establish/Maintain Documentation
Include monitoring requirements in the lending policy. CC ID 16710	Leadership and high level objectives	Establish/Maintain Documentation
Include loan origination procedures in the lending policy. CC ID 16709	Leadership and high level objectives	Establish/Maintain Documentation
Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708	Leadership and high level objectives	Establish/Maintain Documentation
Include loan requirements in the lending policy. CC ID 16706	Leadership and high level objectives	Establish/Maintain Documentation
Include appraisals and evaluations in the lending policy. CC ID 16705	Leadership and high level objectives	Establish/Maintain Documentation
Include terms and conditions in the lending policy. CC ID 16695	Leadership and high level objectives	Establish/Maintain Documentation
Include the scope and distribution of loans in the lending policy. CC ID 16693	Leadership and high level objectives	Establish/Maintain Documentation
Include geographic areas in the lending policy. CC ID 16691	Leadership and high level objectives	Establish/Maintain Documentation
Include underwriting guidelines in the lending policy. CC ID 16619	Leadership and high level objectives	Establish/Maintain Documentation
Include credit review in the underwriting guidelines. CC ID 16765	Leadership and high level objectives	Establish/Maintain Documentation
Include loan-to-value ratio limits in the lending policy. CC ID 16618	Leadership and high level objectives	Establish/Maintain Documentation
Include documentation requirements in the lending policy. CC ID 16617	Leadership and high level objectives	Establish/Maintain Documentation
Include the purpose of the loan in the loan documentation. CC ID 16747	Leadership and high level objectives	Establish/Maintain Documentation
Include the source of repayment in the loan documentation. CC ID 16746	Leadership and high level objectives	Establish/Maintain Documentation
Include approval requirements in the lending policy. CC ID 16615	Leadership and high level objectives	Establish/Maintain Documentation
Include reporting requirements in the lending policy. CC ID 16614	Leadership and high level objectives	Establish/Maintain Documentation
Include loan portfolio diversification standards in the lending policy. CC ID 16611	Leadership and high level objectives	Establish/Maintain Documentation
Include loan administration procedures in the lending policy. CC ID 16610	Leadership and high level objectives	Establish/Maintain Documentation
Include loan participation agreements in the loan administration procedures. CC ID 16745	Leadership and high level objectives	Establish/Maintain Documentation
Include termination procedures in the loan participation agreement. CC ID 16753	Leadership and high level objectives	Establish/Maintain Documentation
Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752	Leadership and high level objectives	Establish/Maintain Documentation
Include servicing agreements in the loan administration procedures. CC ID 16744	Leadership and high level objectives	Establish/Maintain Documentation
Include claims processing in the loan administration procedures. CC ID 16742	Leadership and high level objectives	Establish/Maintain Documentation
Include forbearance management in the loan administration procedures. CC ID 16741	Leadership and high level objectives	Establish/Maintain Documentation
Include foreclosure management in the loan administration procedures. CC ID 16740	Leadership and high level objectives	Establish/Maintain Documentation
Include delinquency management in the loan administration procedures. CC ID 16739	Leadership and high level objectives	Establish/Maintain Documentation
Include customer due diligence in the loan administration procedures. CC ID 16736	Leadership and high level objectives	Process or Activity
Include the requirements for financial statements in the loan administration procedures. CC ID 16735	Leadership and high level objectives	Establish/Maintain Documentation
Include loan closing in the loan administration procedures. CC ID 16734	Leadership and high level objectives	Establish/Maintain Documentation
Include payoff statements in the loan administration procedures. CC ID 16733	Leadership and high level objectives	Establish/Maintain Documentation
Include payment processing in the loan administration procedures. CC ID 16732	Leadership and high level objectives	Establish/Maintain Documentation
Include loan reviews in the loan administration procedures. CC ID 16703	Leadership and high level objectives	Establish/Maintain Documentation
Include collections in the loan administration procedures. CC ID 16701	Leadership and high level objectives	Establish/Maintain Documentation
Include collateral inspections in the loan administration procedures. CC ID 16699	Leadership and high level objectives	Establish/Maintain Documentation
Include disbursements in the loan administration procedures. CC ID 16697	Leadership and high level objectives	Establish/Maintain Documentation
Review and approve lending policies. CC ID 16607	Leadership and high level objectives	Business Processes
Establish, implement, and maintain a dividend policy. CC ID 16569	Leadership and high level objectives	Establish/Maintain Documentation
Include compliance requirements in the dividend policy. CC ID 16570	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain margin systems. CC ID 16601	Leadership and high level objectives	Business Processes
Include valuation models in the margin system. CC ID 16663	Leadership and high level objectives	Data and Information Management
Include procedures for collecting price data in the margin system. CC ID 16662	Leadership and high level objectives	Data and Information Management
Include reliable sources for price data in the margin system. CC ID 16661	Leadership and high level objectives	Data and Information Management
Establish, implement, and maintain capital adequacy measures. CC ID 16568	Leadership and high level objectives	Business Processes
Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565	Leadership and high level objectives	Communicate
Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279	Leadership and high level objectives	Establish/Maintain Documentation
Include risk management in the Capital Planning and Investment Control policy. CC ID 16764	Leadership and high level objectives	Establish/Maintain Documentation
Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692	Leadership and high level objectives	Establish/Maintain Documentation
Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631	Leadership and high level objectives	Establish/Maintain Documentation
Include order tickets in the recordkeeping system for securities transactions. CC ID 16640	Leadership and high level objectives	Data and Information Management
Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650	Leadership and high level objectives	Data and Information Management
Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639	Leadership and high level objectives	Data and Information Management
Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645	Leadership and high level objectives	Data and Information Management
Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638	Leadership and high level objectives	Data and Information Management
Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637	Leadership and high level objectives	Data and Information Management
Include the execution price in the recordkeeping system for securities transactions. CC ID 16636	Leadership and high level objectives	Data and Information Management
Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635	Leadership and high level objectives	Data and Information Management
Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633	Leadership and high level objectives	Data and Information Management
Include account information In the recordkeeping system for securities transactions. CC ID 16632	Leadership and high level objectives	Data and Information Management
Establish, implement, and maintain securities transaction notifications. CC ID 16600	Leadership and high level objectives	Establish/Maintain Documentation
Include the call date in the securities transaction notification. CC ID 16680	Leadership and high level objectives	Establish/Maintain Documentation
Include service charges and commissions in the securities transaction notification. CC ID 16702	Leadership and high level objectives	Establish/Maintain Documentation
Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679	Leadership and high level objectives	Establish/Maintain Documentation
Include the call price in the securities transaction notification. CC ID 16678	Leadership and high level objectives	Establish/Maintain Documentation
Include debits and credits in the securities transaction notification. CC ID 16677	Leadership and high level objectives	Establish/Maintain Documentation
Include transactions in the securities transaction notification. CC ID 16676	Leadership and high level objectives	Establish/Maintain Documentation
Include the credit rating of securities in the securities transaction notification. CC ID 16674	Leadership and high level objectives	Establish/Maintain Documentation
Include yield information in the securities transaction notification. CC ID 16673	Leadership and high level objectives	Establish/Maintain Documentation
Include redemption information in the securities transaction notification. CC ID 16672	Leadership and high level objectives	Establish/Maintain Documentation
Include the price calculated from the yield in the securities transaction notification. CC ID 16669	Leadership and high level objectives	Establish/Maintain Documentation
Include the type of call in the securities transaction notification. CC ID 16668	Leadership and high level objectives	Establish/Maintain Documentation
Include an account statement in the securities transaction notification. CC ID 16666	Leadership and high level objectives	Establish/Maintain Documentation
Include the yield to maturity in the securities transaction notification. CC ID 16665	Leadership and high level objectives	Establish/Maintain Documentation
Include the execution price in the securities transaction notification. CC ID 16664	Leadership and high level objectives	Establish/Maintain Documentation
Include the organization's role in the securities transaction notification. CC ID 16646	Leadership and high level objectives	Establish/Maintain Documentation
Include the name of the broker in the securities transaction notification. CC ID 16647	Leadership and high level objectives	Establish/Maintain Documentation
Include the name of the customer in the securities transaction notification. CC ID 16625	Leadership and high level objectives	Establish/Maintain Documentation
Include the organization's name in the securities transaction notification. CC ID 16624	Leadership and high level objectives	Establish/Maintain Documentation
Include confirmations in the securities transaction notification. CC ID 16623	Leadership and high level objectives	Establish/Maintain Documentation
Include remunerations in the securities transaction notification. CC ID 16622	Leadership and high level objectives	Establish/Maintain Documentation
Include requested information in the securities transaction notification. CC ID 16641	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621	Leadership and high level objectives	Communicate
Include the execution date in the securities transaction notification. CC ID 16620	Leadership and high level objectives	Establish/Maintain Documentation
Establish, implement, and maintain financial reports. CC ID 14770	Leadership and high level objectives	Establish/Maintain Documentation
Structure financial reports in accordance with external requirements, as necessary. CC ID 14776	Leadership and high level objectives	Establish/Maintain Documentation
Include the report of independent Certified Public Accountants in the financial report. CC ID 14779	Leadership and high level objectives	Establish/Maintain Documentation
Include the business need justification for lost value in the financial report. CC ID 15588	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342	Leadership and high level objectives	Communicate
Include financial statements in the financial report, as necessary. CC ID 14775	Leadership and high level objectives	Establish/Maintain Documentation
Include capital deductions and adjustments in the financial statement. CC ID 16667	Leadership and high level objectives	Establish/Maintain Documentation
Include earnings per share or loss per share in the financial statement. CC ID 16597	Leadership and high level objectives	Establish/Maintain Documentation
Include material contingencies in the financial statement. CC ID 16596	Leadership and high level objectives	Establish/Maintain Documentation
Include notes to financial statements in the financial report, as necessary. CC ID 14780	Leadership and high level objectives	Establish/Maintain Documentation
Include information on loans to small businesses and small farms in the call report. CC ID 16731	Leadership and high level objectives	Establish/Maintain Documentation
Include assets and liabilities in the call report. CC ID 16729	Leadership and high level objectives	Establish/Maintain Documentation
Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727	Leadership and high level objectives	Communicate
Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)]	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain intrusion management operations. CC ID 00580	Monitoring and measurement	Monitor and Evaluate Occurrences
Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581 [The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Installation of a systematic or technical device for preventing unlawful use of information and communications networks; Article 51(3)(1)]	Monitoring and measurement	Configuration
Establish, implement, and maintain a risk monitoring program. CC ID 00658	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a system security plan. CC ID 01922 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)]	Monitoring and measurement	Testing
Include a system description in the system security plan. CC ID 16467	Monitoring and measurement	Establish/Maintain Documentation
Include a description of the operational context in the system security plan. CC ID 14301	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the security categorization in the system security plan. CC ID 14281	Monitoring and measurement	Establish/Maintain Documentation
Include the information types in the system security plan. CC ID 14696	Monitoring and measurement	Establish/Maintain Documentation
Include the security requirements in the system security plan. CC ID 14274	Monitoring and measurement	Establish/Maintain Documentation
Include threats in the system security plan. CC ID 14693	Monitoring and measurement	Establish/Maintain Documentation
Include network diagrams in the system security plan. CC ID 14273	Monitoring and measurement	Establish/Maintain Documentation
Include roles and responsibilities in the system security plan. CC ID 14682	Monitoring and measurement	Establish/Maintain Documentation
Include the results of the privacy risk assessment in the system security plan. CC ID 14676	Monitoring and measurement	Establish/Maintain Documentation
Include remote access methods in the system security plan. CC ID 16441	Monitoring and measurement	Establish/Maintain Documentation
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275	Monitoring and measurement	Communicate
Include a description of the operational environment in the system security plan. CC ID 14272	Monitoring and measurement	Establish/Maintain Documentation
Include the security categorizations and rationale in the system security plan. CC ID 14270	Monitoring and measurement	Establish/Maintain Documentation
Include the authorization boundary in the system security plan. CC ID 14257	Monitoring and measurement	Establish/Maintain Documentation
Align the enterprise architecture with the system security plan. CC ID 14255	Monitoring and measurement	Process or Activity
Include security controls in the system security plan. CC ID 14239 [Every business operator who operates and manages clustered information and communications facilities to render information and communications services on behalf of another person (hereinafter referred to as "business operator of clustered information and communications facilities") shall take protective measures as prescribed by Presidential Decree to operate the information and communications facilities stably. Article 46(1)]	Monitoring and measurement	Establish/Maintain Documentation
Create specific test plans to test each system component. CC ID 00661	Monitoring and measurement	Establish/Maintain Documentation
Include the roles and responsibilities in the test plan. CC ID 14299	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment team in the test plan. CC ID 14297	Monitoring and measurement	Establish/Maintain Documentation
Include the scope in the test plans. CC ID 14293	Monitoring and measurement	Establish/Maintain Documentation
Include the assessment environment in the test plan. CC ID 14271	Monitoring and measurement	Establish/Maintain Documentation
Approve the system security plan. CC ID 14241	Monitoring and measurement	Business Processes
Review the test plans for each system component. CC ID 00662	Monitoring and measurement	Establish/Maintain Documentation
Document validated testing processes in the testing procedures. CC ID 06200	Monitoring and measurement	Establish/Maintain Documentation
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827	Monitoring and measurement	Establish/Maintain Documentation
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665	Monitoring and measurement	Testing
Implement automated audit tools. CC ID 04882	Monitoring and measurement	Acquisition/Sale of Assets or Services
Assign senior management to approve test plans. CC ID 13071	Monitoring and measurement	Human Resources Management
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a metrics policy. CC ID 01654	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653	Monitoring and measurement	Establish/Maintain Documentation
Align corrective actions with the level of environmental impact. CC ID 15193	Monitoring and measurement	Business Processes
Include risks and opportunities in the corrective action plan. CC ID 15178	Monitoring and measurement	Establish/Maintain Documentation
Include environmental aspects in the corrective action plan. CC ID 15177	Monitoring and measurement	Establish/Maintain Documentation
Include the completion date in the corrective action plan. CC ID 13272	Monitoring and measurement	Establish/Maintain Documentation
Establish, implement, and maintain a risk management program. CC ID 12051	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain the risk assessment framework. CC ID 00685	Audits and risk management	Establish/Maintain Documentation
Review and approve the risk assessment findings. CC ID 06485	Audits and risk management	Establish/Maintain Documentation
Establish, implement, and maintain a digital identity management program. CC ID 13713	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain digital identification procedures. CC ID 13714 [Any of the following persons shall, if he or she intends to install and operate a message board, take necessary measures, as prescribed by Presidential Decree (hereinafter referred to as "measures for identity verification"), including preparation of methods and procedures for verifying identity of users of the message board: Article 44-5(1) {refrain from using} Even where the collection/use of users' resident registration numbers is authorized pursuant to paragraph (1) 2 or 3, an identification method without using the users' resident registration numbers (hereinafter referred to as "alternative means") shall be provided. Article 23-2(2)]	Technical security	Establish/Maintain Documentation
Implement digital identification processes. CC ID 13731	Technical security	Process or Activity
Implement identity proofing processes. CC ID 13719	Technical security	Process or Activity
Verify the identity of the organization's authorized representative during the identity proofing process. CC ID 13786	Technical security	Process or Activity
Allow authorized representatives to act on behalf of the data subject during the identity proofing process. CC ID 13787	Technical security	Process or Activity
Support the identity proofing process through in-person proofing or remote proofing. CC ID 13750	Technical security	Process or Activity
Establish, implement, and maintain remote proofing procedures. CC ID 13796	Technical security	Establish/Maintain Documentation
Require digital authentication of evidence by integrated scanners when performing remote proofing. CC ID 13805	Technical security	Configuration
Use valid activation codes to complete the identity proofing process when performing remote proofing. CC ID 13742	Technical security	Process or Activity
Employ knowledge-based authentication tools to aid the identity proofing process. CC ID 13741	Technical security	Process or Activity
Refrain from using publicly available information for knowledge-based authentication during the identity proofing process. CC ID 13752	Technical security	Process or Activity
Refrain from using knowledge-based authentication questions that hint at their own answers during the identity proofing process. CC ID 13785	Technical security	Process or Activity
Refrain from using static knowledge-based authentication questions during the identity proofing process. CC ID 13773	Technical security	Process or Activity
Require a minimum number of knowledge-based authentication questions for the identity proofing process. CC ID 13745	Technical security	Configuration
Require free-form response knowledge-based authentication questions for the identity proofing process. CC ID 13746	Technical security	Configuration
Set a maximum number of attempts to complete the knowledge-based authentication for the identity proofing process. CC ID 13747	Technical security	Configuration
Use information from authoritative sources or the applicant for knowledge-based authentication during the identity proofing process. CC ID 13749	Technical security	Process or Activity
Allow records that relate to the data subject as proof of identity. CC ID 13772	Technical security	Process or Activity
Include the consequences of refraining from providing attributes in the identity proofing process. CC ID 13748	Technical security	Process or Activity
Send a notification of proofing to a confirmed address of record when performing in-person proofing. CC ID 13739	Technical security	Process or Activity
Refrain from using unconfirmed self-asserted address data during the identity proofing process. CC ID 13738	Technical security	Process or Activity
Refrain from approving attributes in the identity proofing process. CC ID 13716	Technical security	Process or Activity
Establish, implement, and maintain an access control program. CC ID 11702	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an access rights management plan. CC ID 00513	Technical security	Establish/Maintain Documentation
Control access rights to organizational assets. CC ID 00004	Technical security	Technical Security
Establish access rights based on least privilege. CC ID 01411 [Every provider of information and communications services or similar shall restrict the persons who may manage users' C;" class="term_primary-noun">personal information to the minimum extent. Every provider of information and communications services or similar shall restrict the persons who may manage users' personal information to the minimum extent. Article 28(2)]	Technical security	Technical Security
Assign user permissions based on job responsibilities. CC ID 00538	Technical security	Technical Security
Assign user privileges after they have management sign off. CC ID 00542	Technical security	Technical Security
Separate processing domains to segregate user privileges and enhance information flow control. CC ID 06767	Technical security	Configuration
Assign Information System access authorizations if implementing segregation of duties. CC ID 06323	Technical security	Establish Roles
Enforce access restrictions for restricted data. CC ID 01921 [A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)]	Technical security	Data and Information Management
Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework. CC ID 00526 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Technical security	Technical Security
Establish, implement, and maintain access control procedures. CC ID 11663 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Installation> and operation of an access control devicean>, such as a system for blocking intrusion to cut off illegal access to personal information; Article 28(1)(2)]	Technical security	Establish/Maintain Documentation
Grant access to authorized personnel or systems. CC ID 12186	Technical security	Configuration
Document approving and granting access in the access control log. CC ID 06786	Technical security	Establish/Maintain Documentation
Disseminate and communicate the access control log to interested personnel and affected parties. CC ID 16442	Technical security	Communicate
Include the user identifiers of all personnel who are authorized to access a system in the system record. CC ID 15171	Technical security	Establish/Maintain Documentation
Include identity information of all personnel who are authorized to access a system in the system record. CC ID 16406	Technical security	Establish/Maintain Documentation
Include the date and time that access was reviewed in the system record. CC ID 16416	Technical security	Data and Information Management
Include the date and time that access rights were changed in the system record. CC ID 16415	Technical security	Establish/Maintain Documentation
Identify and control all network access controls. CC ID 00529	Technical security	Technical Security
Establish, implement, and maintain a Boundary Defense program. CC ID 00544	Technical security	Establish/Maintain Documentation
Configure network access and control points to protect restricted data or restricted information. CC ID 01284 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)]	Technical security	Configuration
Protect data stored at external locations. CC ID 16333	Technical security	Data and Information Management
Protect the firewall's network connection interfaces. CC ID 01955	Technical security	Technical Security
Configure firewalls to deny all traffic by default, except explicitly designated traffic. CC ID 00547	Technical security	Configuration
Allow local program exceptions on the firewall, as necessary. CC ID 01956	Technical security	Configuration
Allow remote administration exceptions on the firewall, as necessary. CC ID 01957	Technical security	Configuration
Allow file sharing exceptions on the firewall, as necessary. CC ID 01958	Technical security	Configuration
Allow printer sharing exceptions on the firewall, as necessary. CC ID 11849	Technical security	Configuration
Allow Internet Control Message Protocol exceptions on the firewall, as necessary. CC ID 01959	Technical security	Configuration
Allow Remote Desktop Connection exceptions on the firewall, as necessary. CC ID 01960	Technical security	Configuration
Allow UPnP framework exceptions on the firewall, as necessary. CC ID 01961	Technical security	Configuration
Allow notification exceptions on the firewall, as necessary. CC ID 01962	Technical security	Configuration
Allow unicast response to multicast or broadcast exceptions on the firewall, as necessary. CC ID 01964	Technical security	Configuration
Allow protocol port exceptions on the firewall, as necessary. CC ID 01965	Technical security	Configuration
Allow local port exceptions on the firewall, as necessary. CC ID 01966	Technical security	Configuration
Establish, implement, and maintain ingress address filters on the firewall, as necessary. CC ID 01287	Technical security	Configuration
Establish, implement, and maintain packet filtering requirements. CC ID 16362	Technical security	Technical Security
Configure firewall filtering to only permit established connections into the network. CC ID 12482	Technical security	Technical Security
Restrict outbound network traffic from systems that contain restricted data or restricted information. CC ID 01295	Technical security	Data and Information Management
Deny direct Internet access to databases that store restricted data or restricted information. CC ID 01271	Technical security	Data and Information Management
Synchronize and secure all router configuration files. CC ID 01291	Technical security	Configuration
Synchronize and secure all firewall configuration files. CC ID 11851	Technical security	Configuration
Configure firewalls to generate an audit log. CC ID 12038	Technical security	Audits and Risk Management
Configure firewalls to generate an alert when a potential security incident is detected. CC ID 12165	Technical security	Configuration
Record the configuration rules for network access and control points in the configuration management system. CC ID 12105	Technical security	Establish/Maintain Documentation
Record the duration of the business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12107	Technical security	Establish/Maintain Documentation
Record each individual's name and business need associated with changes to the configuration rules for network access and control points in the configuration management system. CC ID 12106	Technical security	Establish/Maintain Documentation
Enforce information flow control. CC ID 11781	Technical security	Monitor and Evaluate Occurrences
Establish, implement, and maintain information flow control configuration standards. CC ID 01924	Technical security	Establish/Maintain Documentation
Constrain the information flow of restricted data or restricted information. CC ID 06763 [The Government may have providers or users of information and communications services to take necessary measures to prevent outflow " class="term_primary-noun">abroad of any important pan style="background-color:#F0BBBC;" class="term_primary-noun">information about industry, economy, science, technology, etc. of this county through information and communications networks. The Government may have providers or users of information and communications services to take necessary measures to prevent outflow abroad of any important information about industry, economy, science, technology, etc. of this county through information and communications networks. Article 51(1)]	Technical security	Data and Information Management
Restrict access to restricted data and restricted information on a need to know basis. CC ID 12453	Technical security	Data and Information Management
Prohibit restricted data or restricted information from being sent to mobile devices. CC ID 04725	Technical security	Data and Information Management
Prohibit restricted data or restricted information from being copied or moved absent approval of system boundaries for information flow control. CC ID 06310	Technical security	Data and Information Management
Manage the use of encryption controls and cryptographic controls. CC ID 00570 [A chief information protection officer shall be responsible for the following matters: Review of the encryption of an important information and the suitability of a security server; Article 45-3(3)(6)]	Technical security	Technical Security
Comply with the encryption laws of the local country. CC ID 16377	Technical security	Business Processes
Define the cryptographic module security functions and the cryptographic module operational modes. CC ID 06542	Technical security	Establish/Maintain Documentation
Define the cryptographic boundaries. CC ID 06543	Technical security	Establish/Maintain Documentation
Establish and maintain the documentation requirements for cryptographic modules. CC ID 06544	Technical security	Establish/Maintain Documentation
Establish and maintain the security requirements for cryptographic module ports and cryptographic module interfaces. CC ID 06545	Technical security	Establish/Maintain Documentation
Implement the documented cryptographic module security functions. CC ID 06755	Technical security	Data and Information Management
Establish, implement, and maintain documentation for the delivery and operation of cryptographic modules. CC ID 06547	Technical security	Establish/Maintain Documentation
Document the operation of the cryptographic module. CC ID 06546	Technical security	Establish/Maintain Documentation
Employ cryptographic controls that comply with applicable requirements. CC ID 12491	Technical security	Technical Security
Establish, implement, and maintain digital signatures. CC ID 13828	Technical security	Data and Information Management
Include the expiration date in digital signatures. CC ID 13833	Technical security	Data and Information Management
Include audience restrictions in digital signatures. CC ID 13834	Technical security	Data and Information Management
Include the subject in digital signatures. CC ID 13832	Technical security	Data and Information Management
Include the issuer in digital signatures. CC ID 13831	Technical security	Data and Information Management
Include identifiers in the digital signature. CC ID 13829	Technical security	Data and Information Management
Generate and protect a secret random number for each digital signature. CC ID 06577	Technical security	Establish/Maintain Documentation
Establish the security strength requirements for the digital signature process. CC ID 06578	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain an encryption management and cryptographic controls policy. CC ID 04546	Technical security	Establish/Maintain Documentation
Refrain from allowing the use of cleartext for input or output of restricted data or restricted information. CC ID 04823	Technical security	Configuration
Encrypt in scope data or in scope information, as necessary. CC ID 04824	Technical security	Data and Information Management
Digitally sign records and data, as necessary. CC ID 16507	Technical security	Data and Information Management
Make key usage for data fields unique for each device. CC ID 04828	Technical security	Technical Security
Decrypt restricted data for the minimum time required. CC ID 12308	Technical security	Data and Information Management
Decrypt personal data only on dedicated networks, not on public networks. CC ID 12309	Technical security	Data and Information Management
Accept only trusted keys and/or certificates. CC ID 11988	Technical security	Technical Security
Establish, implement, and maintain cryptographic key creation domain parameter requirements. CC ID 06575	Technical security	Data and Information Management
Define the asymmetric signature field for the CHUID container on identification cards or badges. CC ID 06584	Technical security	Process or Activity
Implement cryptographic operations and support functions on identification cards or badges. CC ID 06585	Technical security	Process or Activity
Disseminate and communicate the encryption management and cryptographic controls policy to all interested personnel and affected parties. CC ID 15476	Technical security	Communicate
Define the format of the biometric data on identification cards or badges. CC ID 06586	Technical security	Process or Activity
Protect salt values and hash values in accordance with organizational standards. CC ID 16471	Technical security	Data and Information Management
Provide guidance to customers on how to securely transmit, store, and update cryptographic keys. CC ID 12040	Technical security	Establish/Maintain Documentation
Disseminate and communicate the encryption management procedures to all interested personnel and affected parties. CC ID 15477	Technical security	Communicate
Establish, implement, and maintain encryption management procedures. CC ID 15475	Technical security	Establish/Maintain Documentation
Define and assign cryptographic, encryption and key management roles and responsibilities. CC ID 15470	Technical security	Establish Roles
Establish, implement, and maintain cryptographic key management procedures. CC ID 00571	Technical security	Establish/Maintain Documentation
Disseminate and communicate cryptographic key management procedures to interested personnel and affected parties. CC ID 13164	Technical security	Communicate
Bind keys to each identity. CC ID 12337	Technical security	Technical Security
Include recommended cryptographic key management procedures for cloud service providers in the cryptographic key management procedures. CC ID 13152	Technical security	Establish/Maintain Documentation
Include requesting cryptographic key types in the cryptographic key management procedures. CC ID 13151	Technical security	Establish/Maintain Documentation
Recover encrypted data for lost cryptographic keys, compromised cryptographic keys, or damaged cryptographic keys. CC ID 01301	Technical security	Data and Information Management
Generate strong cryptographic keys. CC ID 01299	Technical security	Data and Information Management
Generate unique cryptographic keys for each user. CC ID 12169	Technical security	Technical Security
Use approved random number generators for creating cryptographic keys. CC ID 06574	Technical security	Data and Information Management
Implement decryption keys so that they are not linked to user accounts. CC ID 06851	Technical security	Technical Security
Include the establishment of cryptographic keys in the cryptographic key management procedures. CC ID 06540	Technical security	Establish/Maintain Documentation
Disseminate and communicate cryptographic keys securely. CC ID 01300	Technical security	Data and Information Management
Control the input and output of cryptographic keys from a cryptographic module. CC ID 06541	Technical security	Data and Information Management
Store cryptographic keys securely. CC ID 01298	Technical security	Data and Information Management
Restrict access to cryptographic keys. CC ID 01297	Technical security	Data and Information Management
Store cryptographic keys in encrypted format. CC ID 06084	Technical security	Data and Information Management
Store key-encrypting keys and data-encrypting keys in different locations. CC ID 06085	Technical security	Technical Security
Include offsite backups of cryptographic keys in the cryptographic key management procedures. CC ID 13127	Technical security	Establish/Maintain Documentation
Change cryptographic keys in accordance with organizational standards. CC ID 01302	Technical security	Data and Information Management
Destroy cryptographic keys promptly after the retention period. CC ID 01303	Technical security	Data and Information Management
Control cryptographic keys with split knowledge and dual control. CC ID 01304	Technical security	Data and Information Management
Prevent the unauthorized substitution of cryptographic keys. CC ID 01305	Technical security	Data and Information Management
Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys. CC ID 06852	Technical security	Technical Security
Archive outdated cryptographic keys. CC ID 06884	Technical security	Data and Information Management
Archive revoked cryptographic keys. CC ID 11819	Technical security	Data and Information Management
Require key custodians to sign the cryptographic key management policy. CC ID 01308	Technical security	Establish/Maintain Documentation
Require key custodians to sign the key custodian's roles and responsibilities. CC ID 11820	Technical security	Human Resources Management
Manage the digital signature cryptographic key pair. CC ID 06576	Technical security	Data and Information Management
Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates. CC ID 06587	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain Public Key certificate application procedures. CC ID 07079	Technical security	Establish/Maintain Documentation
Establish a Registration Authority to support the Public Key Infrastructure. CC ID 15725	Technical security	Establish Roles
Include the Identification and Authentication of individuals or entities in the Public Key certificate application procedures. CC ID 07080	Technical security	Establish/Maintain Documentation
Include approving or rejecting Public Key certificate applications in the Public Key certificate application procedure. CC ID 07081	Technical security	Establish/Maintain Documentation
Include revocation of Public Key certificates in the Public Key certificate procedures. CC ID 07082	Technical security	Establish/Maintain Documentation
Publish revoked Public Key certificates in the Certificate Revocation List. CC ID 07089	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain Public Key renewal or rekeying request procedures. CC ID 07083	Technical security	Establish/Maintain Documentation
Include identification and authentication in Public Key renewal or rekeying request procedures. CC ID 11816	Technical security	Establish/Maintain Documentation
Issue authentication mechanisms that support the Public Key Infrastructure. CC ID 07092	Technical security	Technical Security
Establish a Root Certification Authority to support the Public Key Infrastructure. CC ID 07084	Technical security	Technical Security
Establish, implement, and maintain Public Key certificate procedures. CC ID 07085	Technical security	Establish/Maintain Documentation
Include signing and issuing Public Key certificates in the Public Key certificate procedures. CC ID 11817	Technical security	Establish/Maintain Documentation
Include publishing Public Key certificates in the Public Key certificate procedures. CC ID 07087	Technical security	Establish/Maintain Documentation
Include access to issued Public Key certificates in the Public Key certificate procedures. CC ID 07086	Technical security	Establish/Maintain Documentation
Connect the Public Key Infrastructure to the organization's identity and access management system. CC ID 07091	Technical security	Technical Security
Archive Public Key certificate records according to organizational Records Management rules. CC ID 07090	Technical security	Records Management
Refrain from storing encryption keys with cloud service providers when cryptographic key management services are in place locally. CC ID 13153	Technical security	Technical Security
Refrain from permitting cloud service providers to manage encryption keys when cryptographic key management services are in place locally. CC ID 13154	Technical security	Technical Security
Use strong data encryption to transmit in scope data or in scope information, as necessary. CC ID 00564 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)]	Technical security	Technical Security
Ensure restricted data or restricted information are encrypted prior to or at the time of transmission. CC ID 01749	Technical security	Configuration
Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls. CC ID 12492	Technical security	Technical Security
Encrypt traffic over networks with trusted cryptographic keys. CC ID 12490	Technical security	Technical Security
Authorize transactions of data transmitted over public networks or shared data networks. CC ID 00566	Technical security	Establish/Maintain Documentation
Treat data messages that do not receive an acknowledgment as never been sent. CC ID 14416	Technical security	Technical Security
Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks. CC ID 00568	Technical security	Technical Security
Protect application services information transmitted over a public network from unauthorized modification. CC ID 12021	Technical security	Technical Security
Protect application services information transmitted over a public network from unauthorized disclosure. CC ID 12020	Technical security	Technical Security
Protect application services information transmitted over a public network from contract disputes. CC ID 12019	Technical security	Technical Security
Protect application services information transmitted over a public network from fraudulent activity. CC ID 12018	Technical security	Technical Security
Establish, implement, and maintain a malicious code protection program. CC ID 00574 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that mutilates, destroys, alters, or forges an information and communications system, data, a program, or similar or that interferes with the operation of such system, data, program, or similar without a justifiable ground; Article 44-7(1)(4)]	Technical security	Establish/Maintain Documentation
Disseminate and communicate the malicious code protection policy to all interested personnel and affected parties. CC ID 15485	Technical security	Communicate
Disseminate and communicate the malicious code protection procedures to all interested personnel and affected parties. CC ID 15484	Technical security	Communicate
Establish, implement, and maintain malicious code protection procedures. CC ID 15483	Technical security	Establish/Maintain Documentation
Establish, implement, and maintain a malicious code protection policy. CC ID 15478	Technical security	Establish/Maintain Documentation
Restrict downloading to reduce malicious code attacks. CC ID 04576	Technical security	Behavior
Install security and protection software, as necessary. CC ID 00575 [{antivirus software}Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing intrusion of computer viruses, including installation and operation of vaccine software; Article 28(1)(5)]	Technical security	Configuration
Install and maintain container security solutions. CC ID 16178	Technical security	Technical Security
Protect the system against replay attacks. CC ID 04552	Technical security	Technical Security
Define and assign roles and responsibilities for malicious code protection. CC ID 15474	Technical security	Establish Roles
Lock antivirus configurations. CC ID 10047	Technical security	Configuration
Establish, implement, and maintain a physical security program. CC ID 11757	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a facility physical security program. CC ID 00711 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)]	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain opening procedures for businesses. CC ID 16671	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain closing procedures for businesses. CC ID 16670	Physical and environmental protection	Establish/Maintain Documentation
Establish and maintain a contract for accessing facilities that transmit, process, or store restricted data. CC ID 12050	Physical and environmental protection	Establish/Maintain Documentation
Refrain from providing access to facilities that transmit, process, or store restricted data until the contract for accessing the facility is signed. CC ID 12311	Physical and environmental protection	Behavior
Protect the facility from crime. CC ID 06347	Physical and environmental protection	Physical and Environmental Protection
Define communication methods for reporting crimes. CC ID 06349	Physical and environmental protection	Establish/Maintain Documentation
Include identification cards or badges in the physical security program. CC ID 14818	Physical and environmental protection	Establish/Maintain Documentation
Protect facilities from eavesdropping. CC ID 02222	Physical and environmental protection	Physical and Environmental Protection
Implement audio protection controls on telephone systems in controlled areas. CC ID 16455	Physical and environmental protection	Technical Security
Establish, implement, and maintain security procedures for virtual meetings. CC ID 15581	Physical and environmental protection	Establish/Maintain Documentation
Hold conferences requiring sensitive information discussions in spaces that have commensurate security. CC ID 11440	Physical and environmental protection	Physical and Environmental Protection
Provide one-time meeting support for discussions involving Top Secret information. CC ID 11441	Physical and environmental protection	Physical and Environmental Protection
Create security zones in facilities, as necessary. CC ID 16295	Physical and environmental protection	Physical and Environmental Protection
Establish clear zones around any sensitive facilities. CC ID 02214	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain floor plans. CC ID 16419	Physical and environmental protection	Establish/Maintain Documentation
Include network infrastructure and cabling infrastructure on the floor plan. CC ID 16420	Physical and environmental protection	Establish/Maintain Documentation
Post floor plans of critical facilities in secure locations. CC ID 16138	Physical and environmental protection	Communicate
Post and maintain security signage for all facilities. CC ID 02201	Physical and environmental protection	Establish/Maintain Documentation
Inspect items brought into the facility. CC ID 06341	Physical and environmental protection	Physical and Environmental Protection
Maintain all physical security systems. CC ID 02206	Physical and environmental protection	Physical and Environmental Protection
Maintain all security alarm systems. CC ID 11669	Physical and environmental protection	Physical and Environmental Protection
Identify and document physical access controls for all physical entry points. CC ID 01637	Physical and environmental protection	Establish/Maintain Documentation
Control physical access to (and within) the facility. CC ID 01329	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain physical access procedures. CC ID 13629	Physical and environmental protection	Establish/Maintain Documentation
Meet the physical access requirements of disabled individuals, if reasonably possible. CC ID 00419	Physical and environmental protection	Physical and Environmental Protection
Configure the access control system to grant access only during authorized working hours. CC ID 12325	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a visitor access permission policy. CC ID 06699	Physical and environmental protection	Establish/Maintain Documentation
Escort visitors within the facility, as necessary. CC ID 06417	Physical and environmental protection	Establish/Maintain Documentation
Check the visitor's stated identity against a provided government issued identification. CC ID 06701	Physical and environmental protection	Physical and Environmental Protection
Authorize visitors before granting entry to physical areas containing restricted data or restricted information. CC ID 01330	Physical and environmental protection	Testing
Disseminate and communicate the right of the organization to search visitors while at the facility. CC ID 06702	Physical and environmental protection	Behavior
Establish, implement, and maintain procedures for changing a visitor's access requirements. CC ID 12048	Physical and environmental protection	Establish/Maintain Documentation
Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information. CC ID 01436	Physical and environmental protection	Establish/Maintain Documentation
Authorize physical access to sensitive areas based on job functions. CC ID 12462	Physical and environmental protection	Establish/Maintain Documentation
Escort uncleared personnel who need to work in or access controlled access areas. CC ID 00747	Physical and environmental protection	Monitor and Evaluate Occurrences
Establish, implement, and maintain physical identification procedures. CC ID 00713	Physical and environmental protection	Establish/Maintain Documentation
Disallow opting out of wearing or displaying identification cards or badges. CC ID 13030	Physical and environmental protection	Human Resources Management
Implement physical identification processes. CC ID 13715	Physical and environmental protection	Process or Activity
Refrain from using knowledge-based authentication for in-person identity verification. CC ID 13717	Physical and environmental protection	Process or Activity
Issue photo identification badges to all employees. CC ID 12326	Physical and environmental protection	Physical and Environmental Protection
Implement operational requirements for card readers. CC ID 02225	Physical and environmental protection	Testing
Establish, implement, and maintain lost or damaged identification card procedures, as necessary. CC ID 14819	Physical and environmental protection	Establish/Maintain Documentation
Report lost badges, stolen badges, and broken badges to the Security Manager. CC ID 12334	Physical and environmental protection	Physical and Environmental Protection
Manage constituent identification inside the facility. CC ID 02215	Physical and environmental protection	Behavior
Direct each employee to be responsible for their identification card or badge. CC ID 12332	Physical and environmental protection	Human Resources Management
Manage visitor identification inside the facility. CC ID 11670	Physical and environmental protection	Physical and Environmental Protection
Issue visitor identification badges to all non-employees. CC ID 00543	Physical and environmental protection	Behavior
Secure unissued visitor identification badges. CC ID 06712	Physical and environmental protection	Physical and Environmental Protection
Retrieve visitor identification badges prior to the exit of a visitor from the facility. CC ID 01331	Physical and environmental protection	Behavior
Include name, date of entry, and validity period on disposable identification cards or badges. CC ID 12331	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain identification issuance procedures for identification cards or badges. CC ID 06598	Physical and environmental protection	Establish/Maintain Documentation
Record the assigned identification card or badge serial number when issuing an identification card or badge. CC ID 06714	Physical and environmental protection	Process or Activity
Include error handling controls in identification issuance procedures. CC ID 13709	Physical and environmental protection	Establish/Maintain Documentation
Include an appeal process in the identification issuance procedures. CC ID 15428	Physical and environmental protection	Business Processes
Include information security in the identification issuance procedures. CC ID 15425	Physical and environmental protection	Establish/Maintain Documentation
Include identity proofing processes in the identification issuance procedures. CC ID 06597	Physical and environmental protection	Process or Activity
Establish, implement, and maintain post-issuance update procedures for identification cards or badges. CC ID 15426	Physical and environmental protection	Establish/Maintain Documentation
Include an identity registration process in the identification issuance procedures. CC ID 11671	Physical and environmental protection	Establish/Maintain Documentation
Restrict access to the badge system to authorized personnel. CC ID 12043	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for badge assignments. CC ID 12328	Physical and environmental protection	Physical and Environmental Protection
Enforce dual control for accessing unassigned identification cards or badges. CC ID 12327	Physical and environmental protection	Physical and Environmental Protection
Refrain from imprinting the company name or company logo on identification cards or badges. CC ID 12282	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain identification renewal procedures for identification cards or badges. CC ID 06599	Physical and environmental protection	Establish/Maintain Documentation
Assign employees the responsibility for controlling their identification badges. CC ID 12333	Physical and environmental protection	Human Resources Management
Establish, implement, and maintain identification re-issuing procedures for identification cards or badges. CC ID 06596	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain identification mechanism termination procedures. CC ID 06306	Physical and environmental protection	Establish/Maintain Documentation
Prevent tailgating through physical entry points. CC ID 06685	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a door security standard. CC ID 06686	Physical and environmental protection	Establish/Maintain Documentation
Install doors so that exposed hinges are on the secured side. CC ID 06687	Physical and environmental protection	Configuration
Install emergency doors to permit egress only. CC ID 06688	Physical and environmental protection	Configuration
Install contact alarms on doors, as necessary. CC ID 06710	Physical and environmental protection	Configuration
Use locks to protect against unauthorized physical access. CC ID 06342	Physical and environmental protection	Physical and Environmental Protection
Use locks with electronic authentication systems or cipher locks, as necessary. CC ID 06650	Physical and environmental protection	Configuration
Secure unissued access mechanisms. CC ID 06713	Physical and environmental protection	Technical Security
Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems. CC ID 00748	Physical and environmental protection	Establish/Maintain Documentation
Change cipher lock codes, as necessary. CC ID 06651	Physical and environmental protection	Technical Security
Record the assigned access mechanism serial number or cipher lock code when issuing controlled items. CC ID 06715	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain a window security standard. CC ID 06689	Physical and environmental protection	Establish/Maintain Documentation
Install contact alarms on openable windows, as necessary. CC ID 06690	Physical and environmental protection	Configuration
Install glass break alarms on windows, as necessary. CC ID 06691	Physical and environmental protection	Configuration
Post signs at all physical entry points stating the organization's right to inspect upon entry. CC ID 02204	Physical and environmental protection	Establish/Maintain Documentation
Install and maintain security lighting at all physical entry points. CC ID 02205	Physical and environmental protection	Physical and Environmental Protection
Use vandal resistant light fixtures for all security lighting. CC ID 16130	Physical and environmental protection	Physical and Environmental Protection
Manage access to loading docks, unloading docks, and mail rooms. CC ID 02210	Physical and environmental protection	Physical and Environmental Protection
Secure the loading dock with physical access controls or security guards. CC ID 06703	Physical and environmental protection	Physical and Environmental Protection
Isolate loading areas from information processing facilities, if possible. CC ID 12028	Physical and environmental protection	Physical and Environmental Protection
Screen incoming mail and deliveries. CC ID 06719	Physical and environmental protection	Physical and Environmental Protection
Protect access to the facility's mechanical systems area. CC ID 02212	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain elevator security guidelines. CC ID 02232	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain stairwell security guidelines. CC ID 02233	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain glass opening security guidelines. CC ID 02234	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain after hours facility access procedures. CC ID 06340	Physical and environmental protection	Establish/Maintain Documentation
Establish a security room, if necessary. CC ID 00738	Physical and environmental protection	Physical and Environmental Protection
Implement physical security standards for mainframe rooms or data centers. CC ID 00749	Physical and environmental protection	Physical and Environmental Protection
Establish and maintain equipment security cages in a shared space environment. CC ID 06711	Physical and environmental protection	Physical and Environmental Protection
Secure systems in lockable equipment cabinets, as necessary. CC ID 06716	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain vault physical security standards. CC ID 02203	Physical and environmental protection	Physical and Environmental Protection
Establish, implement, and maintain a guideline for working in a secure area. CC ID 04538	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain emergency re-entry procedures. CC ID 11672	Physical and environmental protection	Establish/Maintain Documentation
Establish, implement, and maintain emergency exit procedures. CC ID 01252	Physical and environmental protection	Establish/Maintain Documentation
Establish, Implement, and maintain a camera operating policy. CC ID 15456	Physical and environmental protection	Establish/Maintain Documentation
Disseminate and communicate the camera installation policy to interested personnel and affected parties. CC ID 15461	Physical and environmental protection	Communicate
Establish and maintain a visitor log. CC ID 00715	Physical and environmental protection	Log Management
Require all visitors to sign in to the visitor log before the entrance of a visitor to the facility. CC ID 06700	Physical and environmental protection	Establish/Maintain Documentation
Require all visitors to sign out of the visitor log before the exit of a visitor from the facility. CC ID 06649	Physical and environmental protection	Behavior
Record the visitor's name in the visitor log. CC ID 00557	Physical and environmental protection	Log Management
Record the visitor's organization in the visitor log. CC ID 12121	Physical and environmental protection	Log Management
Record the visitor's acceptable access areas in the visitor log. CC ID 12237	Physical and environmental protection	Log Management
Record the date and time of entry in the visitor log. CC ID 13255	Physical and environmental protection	Establish/Maintain Documentation
Record the onsite personnel authorizing physical access for the visitor in the visitor log. CC ID 12466	Physical and environmental protection	Establish/Maintain Documentation
Retain all records in the visitor log as prescribed by law. CC ID 00572	Physical and environmental protection	Log Management
Establish, implement, and maintain a physical access log. CC ID 12080	Physical and environmental protection	Establish/Maintain Documentation
Log the entrance of a staff member to a facility or designated rooms within the facility. CC ID 01641	Physical and environmental protection	Log Management
Store facility access logs in off-site storage. CC ID 06958	Physical and environmental protection	Log Management
Log the exit of a staff member to a facility or designated rooms within the facility. CC ID 11675	Physical and environmental protection	Monitor and Evaluate Occurrences
Configure video cameras to cover all physical entry points. CC ID 06302	Physical and environmental protection	Configuration
Configure video cameras to prevent physical tampering or disablement. CC ID 06303	Physical and environmental protection	Configuration
Retain video events according to Records Management procedures. CC ID 06304	Physical and environmental protection	Records Management
Establish, implement, and maintain physical security threat reports. CC ID 02207	Physical and environmental protection	Establish/Maintain Documentation
Build and maintain fencing, as necessary. CC ID 02235	Physical and environmental protection	Physical and Environmental Protection
Implement security measures for all interior spaces that allow for any payment transactions. CC ID 06352	Physical and environmental protection	Physical and Environmental Protection
Physically segregate business areas in accordance with organizational standards. CC ID 16718	Physical and environmental protection	Physical and Environmental Protection
Employ security guards to provide physical security, as necessary. CC ID 06653	Physical and environmental protection	Establish Roles
Establish, implement, and maintain a facility wall standard. CC ID 06692	Physical and environmental protection	Establish/Maintain Documentation
Design interior walls with sound absorbing materials as well as thermal resistant materials. CC ID 06372	Physical and environmental protection	Physical and Environmental Protection
Design interior walls that provide security to extend from true floor to true ceiling. CC ID 06693	Physical and environmental protection	Configuration
Refrain from search and seizure inside organizational facilities absent a warrant. CC ID 09980	Physical and environmental protection	Behavior
Disallow either search or seizure of any person inside organizational facilities absent a warrant. CC ID 09981	Physical and environmental protection	Behavior
Disallow copying or excerpting from documents, books, or records that are on or in the premises of an organizational facility absent a warrant. CC ID 09982	Physical and environmental protection	Business Processes
Disallow inspecting computers or searching computer records inside organizational facilities absent a warrant. CC ID 09983	Physical and environmental protection	Behavior
Do nothing to help during a search and seizure inside organizational facilities absent a warrant and being legally compelled to assist. CC ID 09984	Physical and environmental protection	Behavior
Establish, implement, and maintain a business continuity program. CC ID 13210	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a continuity plan. CC ID 00752	Operational and Systems Continuity	Establish/Maintain Documentation
Establish, implement, and maintain a recovery plan. CC ID 13288 [A business operator of clustered information and communications facilities shall, once the event that caused suspension of services terminates, resume its services immediately. Article 46-2(3)]	Operational and Systems Continuity	Establish/Maintain Documentation
Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302	Operational and Systems Continuity	Communicate
Include procedures to restore network connectivity in the recovery plan. CC ID 16250	Operational and Systems Continuity	Establish/Maintain Documentation
Include addressing backup failures in the recovery plan. CC ID 13298	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297	Operational and Systems Continuity	Establish/Maintain Documentation
Include the roles and responsibilities of responders in the recovery plan. CC ID 13296	Operational and Systems Continuity	Human Resources Management
Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295	Operational and Systems Continuity	Establish/Maintain Documentation
Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294	Operational and Systems Continuity	Establish/Maintain Documentation
Include the criteria for activation in the recovery plan. CC ID 13293	Operational and Systems Continuity	Establish/Maintain Documentation
Include escalation procedures in the recovery plan. CC ID 16248	Operational and Systems Continuity	Establish/Maintain Documentation
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292	Operational and Systems Continuity	Establish/Maintain Documentation
Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859	Operational and Systems Continuity	Communicate
Establish, implement, and maintain system continuity plan strategies. CC ID 00735	Operational and Systems Continuity	Establish/Maintain Documentation
Include purchasing insurance in the continuity plan. CC ID 00762	Operational and Systems Continuity	Establish/Maintain Documentation
Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 [Every business operator of clustered information and communications facilities shall purchase insurance policies as prescribed by Presidential Decree to cover damages that may be caused by destruction or damage of the clustered information and communications facilities or any other trouble in operation. Article 46(2)]	Operational and Systems Continuity	Acquisition/Sale of Assets or Services
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806	Human Resources management	Establish Roles
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 [{relevant authority} A provider of information and communications services may designate a chief information protection officer at a level of an executive officer for security of information and communications system, etc. and for safe administration of information: Provided, That in cases of any provider of information and communications services whose number of employees, number of users, etc. meet standards prescribed by Presidential Decree, he or she shall report its designation of the chief information protection officer to the Minister of Science, ICT and Future Planning. Article 45-3(1) A provider of information and communications services may establish and operate an association of chief information protection officers comprised of chief information protection officers prescribed in paragraph (1) in order to jointly perform prevention/response in cases of intrusion, sharing necessary information and other joint programs prescribed by Presidential Decree. Article 45-3(4)]	Human Resources management	Establish Roles
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 [A provider of information and communications services whose the average number of users per day, sales, and other related factors fall under the criteria prescribed by Presidential Decree shall designate a person responsible for protection of juvenile to keep juvenile from unwholesome information to juvenile in the information and communication network. Article 42-3(1) The person responsible for protection of juvenile shall be chosen from among executive officers of the relevant business operator or the persons in a position equivalent to the head of a department responsible for business affairs related to protection of juvenile. Article 42-3(2)]	Human Resources management	Establish Roles
Define and assign workforce roles and responsibilities. CC ID 13267	Human Resources management	Human Resources Management
Identify and define all critical roles. CC ID 00777	Human Resources management	Establish Roles
Define and assign the data controller's roles and responsibilities. CC ID 00471 [Every provider of information and communications services or similar shall designate a person responsible for protection of personal information so that he or she protects the personal information of users and process complaints from users in connection with the personal information: Provided, That a provider of information and communications services or similar may, if he or she falls under the criteria prescribed by Presidential Decree for the number of employees, number of users, and other related matters, omit such designation. Article 27(1) If a provider of information and communications services or similar does not designate a person responsible for protection of personal information under the proviso to paragraph (1), the business owner or representative of the provider or similar shall be the person responsible for protection of personal information. Article 27(2)]	Human Resources management	Establish Roles
Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616	Human Resources management	Human Resources Management
Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615	Human Resources management	Human Resources Management
Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666	Human Resources management	Human Resources Management
Assign the role of data controller to applicable controls. CC ID 00354	Human Resources management	Establish Roles
Assign the role of data controller to provide advice, when requested. CC ID 12611	Human Resources management	Human Resources Management
Assign the role of data controller to additional personnel, as necessary. CC ID 00473	Human Resources management	Establish Roles
Establish, implement, and maintain a personnel management program. CC ID 14018 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Human resources and physical facilities required for carrying on the business; Article 53(1)(3)]	Human Resources management	Establish/Maintain Documentation
Categorize the gender of all employees. CC ID 15609	Human Resources management	Human Resources Management
Categorize all employees by racial groups and ethnic groups. CC ID 15627	Human Resources management	Human Resources Management
Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822	Human Resources management	Human Resources Management
Establish and maintain Personnel Files for all employees. CC ID 12438	Human Resources management	Human Resources Management
Include credit check results in each employee's personnel file. CC ID 12447	Human Resources management	Human Resources Management
Include any criminal records in each employee's personnel file. CC ID 12446	Human Resources management	Human Resources Management
Include all employee information in each employee's personnel file. CC ID 12445	Human Resources management	Human Resources Management
Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444	Human Resources management	Human Resources Management
Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441	Human Resources management	Human Resources Management
Include referral follow-up results in each employee's personnel file. CC ID 12440	Human Resources management	Human Resources Management
Include background check results in each employee's personnel file. CC ID 12439	Human Resources management	Human Resources Management
Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760	Human Resources management	Establish/Maintain Documentation
Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761	Human Resources management	Human Resources Management
Require all new hires to sign the Code of Conduct. CC ID 06665	Human Resources management	Establish/Maintain Documentation
Require all new hires to sign Acceptable Use Policies. CC ID 06662	Human Resources management	Establish/Maintain Documentation
Require new hires to sign nondisclosure agreements. CC ID 06668	Human Resources management	Establish/Maintain Documentation
Train all new hires, as necessary. CC ID 06673	Human Resources management	Behavior
Establish, implement, and maintain a personnel security program. CC ID 10628	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a personnel security policy. CC ID 14025	Human Resources management	Establish/Maintain Documentation
Include compliance requirements in the personnel security policy. CC ID 14154	Human Resources management	Establish/Maintain Documentation
Include coordination amongst entities in the personnel security policy. CC ID 14114	Human Resources management	Establish/Maintain Documentation
Include management commitment in the personnel security policy. CC ID 14113	Human Resources management	Establish/Maintain Documentation
Include roles and responsibilities in the personnel security policy. CC ID 14112	Human Resources management	Establish/Maintain Documentation
Include the scope in the personnel security policy. CC ID 14111	Human Resources management	Establish/Maintain Documentation
Include the purpose in the personnel security policy. CC ID 14110	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain personnel security procedures. CC ID 14058	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141	Human Resources management	Communicate
Establish, implement, and maintain security clearance level criteria. CC ID 00780	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain staff position risk designations. CC ID 14280	Human Resources management	Human Resources Management
Assign security clearance procedures to qualified personnel. CC ID 06812	Human Resources management	Establish Roles
Assign personnel screening procedures to qualified personnel. CC ID 11699	Human Resources management	Establish Roles
Establish, implement, and maintain personnel screening procedures. CC ID 11700	Human Resources management	Establish/Maintain Documentation
Perform a personal identification check during personnel screening. CC ID 06721	Human Resources management	Human Resources Management
Perform a criminal records check during personnel screening. CC ID 06643	Human Resources management	Establish/Maintain Documentation
Include all residences in the criminal records check. CC ID 13306	Human Resources management	Process or Activity
Document any reasons a full criminal records check could not be performed. CC ID 13305	Human Resources management	Establish/Maintain Documentation
Perform a personal references check during personnel screening. CC ID 06645	Human Resources management	Human Resources Management
Perform a credit check during personnel screening. CC ID 06646	Human Resources management	Human Resources Management
Perform an academic records check during personnel screening. CC ID 06647	Human Resources management	Establish/Maintain Documentation
Perform a drug test during personnel screening. CC ID 06648	Human Resources management	Testing
Perform a resume check during personnel screening. CC ID 06659	Human Resources management	Human Resources Management
Perform a curriculum vitae check during personnel screening. CC ID 06660	Human Resources management	Human Resources Management
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720	Human Resources management	Human Resources Management
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445	Human Resources management	Communicate
Perform personnel screening procedures, as necessary. CC ID 11763	Human Resources management	Human Resources Management
Establish, implement, and maintain security clearance procedures. CC ID 00783	Human Resources management	Establish/Maintain Documentation
Perform security clearance procedures, as necessary. CC ID 06644	Human Resources management	Human Resources Management
Establish and maintain security clearances. CC ID 01634	Human Resources management	Human Resources Management
Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549	Human Resources management	Establish/Maintain Documentation
Assign an owner of the personnel status change and termination procedures. CC ID 11805	Human Resources management	Human Resources Management
Notify the security manager, in writing, prior to an employee's job change. CC ID 12283	Human Resources management	Human Resources Management
Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677	Human Resources management	Behavior
Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630	Human Resources management	Communicate
Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992	Human Resources management	Human Resources Management
Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676	Human Resources management	Behavior
Conduct exit interviews upon termination of employment. CC ID 14290	Human Resources management	Human Resources Management
Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631	Human Resources management	Establish/Maintain Documentation
Train all personnel and third parties, as necessary. CC ID 00785 [A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)]	Human Resources management	Behavior
Establish, implement, and maintain an education methodology. CC ID 06671	Human Resources management	Business Processes
Support certification programs as viable training programs. CC ID 13268	Human Resources management	Human Resources Management
Include evidence of experience in applications for professional certification. CC ID 16193	Human Resources management	Establish/Maintain Documentation
Include supporting documentation in applications for professional certification. CC ID 16195	Human Resources management	Establish/Maintain Documentation
Submit applications for professional certification. CC ID 16192	Human Resources management	Training
Retrain all personnel, as necessary. CC ID 01362	Human Resources management	Behavior
Tailor training to meet published guidance on the subject being taught. CC ID 02217	Human Resources management	Behavior
Tailor training to be taught at each person's level of responsibility. CC ID 06674	Human Resources management	Behavior
Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786	Human Resources management	Behavior
Use automated mechanisms in the training environment, where appropriate. CC ID 06752	Human Resources management	Behavior
Hire third parties to conduct training, as necessary. CC ID 13167	Human Resources management	Human Resources Management
Review the current published guidance and awareness and training programs. CC ID 01245	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain training plans. CC ID 00828	Human Resources management	Establish/Maintain Documentation
Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387	Human Resources management	Training
Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386	Human Resources management	Training
Develop or acquire content to update the training plans. CC ID 12867	Human Resources management	Training
Designate training facilities in the training plan. CC ID 16200	Human Resources management	Training
Include portions of the visitor control program in the training plan. CC ID 13287	Human Resources management	Establish/Maintain Documentation
Include ethical culture in the training plan, as necessary. CC ID 12801	Human Resources management	Human Resources Management
Include in scope external requirements in the training plan, as necessary. CC ID 13041	Human Resources management	Training
Include duties and responsibilities in the training plan, as necessary. CC ID 12800	Human Resources management	Human Resources Management
Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192	Human Resources management	Training
Include risk management in the training plan, as necessary. CC ID 13040	Human Resources management	Training
Conduct Archives and Records Management training. CC ID 00975	Human Resources management	Behavior
Conduct personal data processing training. CC ID 13757	Human Resources management	Training
Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758	Human Resources management	Training
Include the cloud service usage standard in the training plan. CC ID 13039	Human Resources management	Training
Establish, implement, and maintain a security awareness program. CC ID 11746	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness and training policy. CC ID 14022	Human Resources management	Establish/Maintain Documentation
Include compliance requirements in the security awareness and training policy. CC ID 14092	Human Resources management	Establish/Maintain Documentation
Include coordination amongst entities in the security awareness and training policy. CC ID 14091	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain security awareness and training procedures. CC ID 14054	Human Resources management	Establish/Maintain Documentation
Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138	Human Resources management	Communicate
Include management commitment in the security awareness and training policy. CC ID 14049	Human Resources management	Establish/Maintain Documentation
Include roles and responsibilities in the security awareness and training policy. CC ID 14048	Human Resources management	Establish/Maintain Documentation
Include the scope in the security awareness and training policy. CC ID 14047	Human Resources management	Establish/Maintain Documentation
Include the purpose in the security awareness and training policy. CC ID 14045	Human Resources management	Establish/Maintain Documentation
Include configuration management procedures in the security awareness program. CC ID 13967	Human Resources management	Establish/Maintain Documentation
Include media protection in the security awareness program. CC ID 16368	Human Resources management	Training
Document security awareness requirements. CC ID 12146	Human Resources management	Establish/Maintain Documentation
Include safeguards for information systems in the security awareness program. CC ID 13046	Human Resources management	Establish/Maintain Documentation
Include security policies and security standards in the security awareness program. CC ID 13045	Human Resources management	Establish/Maintain Documentation
Include physical security in the security awareness program. CC ID 16369	Human Resources management	Training
Include mobile device security guidelines in the security awareness program. CC ID 11803	Human Resources management	Establish/Maintain Documentation
Include updates on emerging issues in the security awareness program. CC ID 13184	Human Resources management	Training
Include cybersecurity in the security awareness program. CC ID 13183	Human Resources management	Training
Include implications of non-compliance in the security awareness program. CC ID 16425	Human Resources management	Training
Include the acceptable use policy in the security awareness program. CC ID 15487	Human Resources management	Training
Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802	Human Resources management	Establish/Maintain Documentation
Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800	Human Resources management	Establish/Maintain Documentation
Include remote access in the security awareness program. CC ID 13892	Human Resources management	Establish/Maintain Documentation
Document the goals of the security awareness program. CC ID 12145	Human Resources management	Establish/Maintain Documentation
Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150	Human Resources management	Establish/Maintain Documentation
Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151	Human Resources management	Human Resources Management
Establish and maintain a steering committee to guide the security awareness program. CC ID 12149	Human Resources management	Human Resources Management
Document the scope of the security awareness program. CC ID 12148	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a security awareness baseline. CC ID 12147	Human Resources management	Establish/Maintain Documentation
Encourage interested personnel to obtain security certification. CC ID 11804	Human Resources management	Human Resources Management
Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211	Human Resources management	Behavior
Train all personnel and third parties on how to recognize and report system failures. CC ID 13475	Human Resources management	Training
Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain an environmental management system awareness program. CC ID 15200	Human Resources management	Establish/Maintain Documentation
Conduct tampering prevention training. CC ID 11875	Human Resources management	Training
Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877	Human Resources management	Training
Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876	Human Resources management	Training
Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879	Human Resources management	Training
Include how to prevent physical tampering in the tampering prevention training. CC ID 11878	Human Resources management	Training
Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990	Human Resources management	Training
Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658	Human Resources management	Training
Conduct crime prevention training. CC ID 06350	Human Resources management	Behavior
Establish, implement, and maintain a Code of Conduct. CC ID 04897 [An organization of providers of information and communications services may establish and implement a code of conduct applicable to providers of information and communications services with an objective to protect users and render information and communications services in a safer and more reliable way. Article 44-4 ¶ 1]	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain a code of conduct for financial recommendations. CC ID 16649	Human Resources management	Establish/Maintain Documentation
Include anti-coercion requirements and anti-tying requirements in the Code of Conduct. CC ID 16720	Human Resources management	Establish/Maintain Documentation
Include limitations on referrals for products and services in the Code of Conduct. CC ID 16719	Human Resources management	Behavior
Include classifications of ethics violations in the Code of Conduct. CC ID 14769	Human Resources management	Establish/Maintain Documentation
Include definitions of ethics violations in the Code of Conduct. CC ID 14768	Human Resources management	Establish/Maintain Documentation
Include exercising due professional care in the Code of Conduct. CC ID 14210	Human Resources management	Establish/Maintain Documentation
Include health and safety provisions in the Code of Conduct. CC ID 16206	Human Resources management	Establish/Maintain Documentation
Include organizational values in the Code of Conduct. CC ID 12919	Human Resources management	Process or Activity
Include key policies in the Code of Conduct. CC ID 12890	Human Resources management	Establish/Maintain Documentation
Include responsibilities to the public trust in the Code of Conduct. CC ID 14209	Human Resources management	Establish/Maintain Documentation
Include the vision statement in the Code of Conduct. CC ID 12889	Human Resources management	Establish/Maintain Documentation
Include the organization's mission in the Code of Conduct. CC ID 12875	Human Resources management	Establish/Maintain Documentation
Include classifications of desired conduct in the Code of Conduct. CC ID 12851	Human Resources management	Establish/Maintain Documentation
Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment. CC ID 12029	Human Resources management	Human Resources Management
Include environmental responsibility criteria in the Code of Conduct. CC ID 16209	Human Resources management	Establish/Maintain Documentation
Include social responsibility criteria in the Code of Conduct. CC ID 16210	Human Resources management	Establish/Maintain Documentation
Include that Information Security responsibilities extend outside normal business hours and organizational facilities in the Terms and Conditions of employment. CC ID 04580	Human Resources management	Establish/Maintain Documentation
Include labor rights criteria in the Code of Conduct. CC ID 16208	Human Resources management	Establish/Maintain Documentation
Include the employee's legal responsibilities and rights in the Terms and Conditions of employment. CC ID 15701	Human Resources management	Establish/Maintain Documentation
Notify designated personnel when a formal personnel sanctions process is initiated. CC ID 10632	Human Resources management	Communicate
Include definitions of desirable conduct in the Code of Conduct. CC ID 12846	Human Resources management	Establish/Maintain Documentation
Include notification procedures for allegations of undesirable conduct in the Code of Conduct. CC ID 12855	Human Resources management	Establish/Maintain Documentation
Include procedures to identify positive outcomes in the Code of Conduct. CC ID 12854	Human Resources management	Establish/Maintain Documentation
Take disciplinary actions against individuals who violate the Code of Conduct. CC ID 06435	Human Resources management	Behavior
Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment. CC ID 06664	Human Resources management	Establish/Maintain Documentation
Require all personnel to re-sign the Code of Conduct, as necessary. CC ID 06666	Human Resources management	Establish/Maintain Documentation
Establish, implement, and maintain an ethics program. CC ID 11496	Human Resources management	Human Resources Management
Include communication protocols for interested personnel and affected parties in the ethics program. CC ID 12858 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within speculative activities prohibited by statutes; Article 44-7(1)(6) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that commits an activity prohibited by the National Security Act; Article 44-7(1)(8) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Other information with a content that attempts, aids, or abets to commit a crime. Article 44-7(1)(9) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that arouses fear or apprehension by reaching other persons repeatedly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(3)]	Human Resources management	Communicate
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an internal control framework. CC ID 00820 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Establishment and implementation of an internal control plan for managing personal information in a safe way; Article 28(1)(1)]	Operational management	Establish/Maintain Documentation
Define the scope for the internal control framework. CC ID 16325	Operational management	Business Processes
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437	Operational management	Establish Roles
Assign resources to implement the internal control framework. CC ID 00816	Operational management	Business Processes
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146	Operational management	Establish Roles
Establish, implement, and maintain a baseline of internal controls. CC ID 12415	Operational management	Business Processes
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129	Operational management	Establish/Maintain Documentation
Include the implementation status of controls in the baseline of internal controls. CC ID 16128	Operational management	Establish/Maintain Documentation
Leverage actionable information to support internal controls. CC ID 12414	Operational management	Business Processes
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819	Operational management	Establish/Maintain Documentation
Include continuous service account management procedures in the internal control framework. CC ID 13860	Operational management	Establish/Maintain Documentation
Include threat assessment in the internal control framework. CC ID 01347	Operational management	Establish/Maintain Documentation
Automate threat assessments, as necessary. CC ID 06877	Operational management	Configuration
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102	Operational management	Establish/Maintain Documentation
Automate vulnerability management, as necessary. CC ID 11730	Operational management	Configuration
Include personnel security procedures in the internal control framework. CC ID 01349	Operational management	Establish/Maintain Documentation
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358	Operational management	Establish/Maintain Documentation
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205	Operational management	Establish/Maintain Documentation
Include security information sharing procedures in the internal control framework. CC ID 06489	Operational management	Establish/Maintain Documentation
Share security information with interested personnel and affected parties. CC ID 11732	Operational management	Communicate
Evaluate information sharing partners, as necessary. CC ID 12749	Operational management	Process or Activity
Include security incident response procedures in the internal control framework. CC ID 01359	Operational management	Establish/Maintain Documentation
Include incident response escalation procedures in the internal control framework. CC ID 11745	Operational management	Establish/Maintain Documentation
Include continuous user account management procedures in the internal control framework. CC ID 01360	Operational management	Establish/Maintain Documentation
Authorize and document all exceptions to the internal control framework. CC ID 06781	Operational management	Establish/Maintain Documentation
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229	Operational management	Communicate
Establish, implement, and maintain an information security program. CC ID 00812 [A chief information protection officer shall be responsible for the following matters: Analysis/evaluation and improvement of the weakness of information protection; Article 45-3(3)(2) A chief information protection officer shall be responsible for the following matters: Preparation of preliminary measures for information protection and designing/realization, etc. of security measures; Article 45-3(3)(4) A chief information protection officer shall be responsible for the following matters: Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes. Article 45-3(3)(7) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Operational management	Establish/Maintain Documentation
Include physical safeguards in the information security program. CC ID 12375	Operational management	Establish/Maintain Documentation
Include technical safeguards in the information security program. CC ID 12374 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Operational management	Establish/Maintain Documentation
Include administrative safeguards in the information security program. CC ID 12373 [A chief information protection officer shall be responsible for the following matters: Establishment and administration/operation of an administrative system for information protection; Article 45-3(3)(1) Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Operational management	Establish/Maintain Documentation
Include system development in the information security program. CC ID 12389	Operational management	Establish/Maintain Documentation
Include system maintenance in the information security program. CC ID 12388	Operational management	Establish/Maintain Documentation
Include system acquisition in the information security program. CC ID 12387	Operational management	Establish/Maintain Documentation
Include access control in the information security program. CC ID 12386	Operational management	Establish/Maintain Documentation
Include operations management in the information security program. CC ID 12385	Operational management	Establish/Maintain Documentation
Include communication management in the information security program. CC ID 12384	Operational management	Establish/Maintain Documentation
Include environmental security in the information security program. CC ID 12383	Operational management	Establish/Maintain Documentation
Include physical security in the information security program. CC ID 12382	Operational management	Establish/Maintain Documentation
Include human resources security in the information security program. CC ID 12381	Operational management	Establish/Maintain Documentation
Include asset management in the information security program. CC ID 12380	Operational management	Establish/Maintain Documentation
Include a continuous monitoring program in the information security program. CC ID 14323	Operational management	Establish/Maintain Documentation
Include change management procedures in the continuous monitoring plan. CC ID 16227	Operational management	Establish/Maintain Documentation
include recovery procedures in the continuous monitoring plan. CC ID 16226	Operational management	Establish/Maintain Documentation
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225	Operational management	Establish/Maintain Documentation
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223	Operational management	Establish/Maintain Documentation
Include how the information security department is organized in the information security program. CC ID 12379	Operational management	Establish/Maintain Documentation
Include risk management in the information security program. CC ID 12378	Operational management	Establish/Maintain Documentation
Include mitigating supply chain risks in the information security program. CC ID 13352	Operational management	Establish/Maintain Documentation
Provide management direction and support for the information security program. CC ID 11999	Operational management	Process or Activity
Monitor and review the effectiveness of the information security program. CC ID 12744 [A chief information protection officer shall be responsible for the following matters: Review of a preliminary security for information protection; Article 45-3(3)(5)]	Operational management	Monitor and Evaluate Occurrences
Establish, implement, and maintain an information security policy. CC ID 11740	Operational management	Establish/Maintain Documentation
Align the information security policy with the organization's risk acceptance level. CC ID 13042	Operational management	Business Processes
Include business processes in the information security policy. CC ID 16326	Operational management	Establish/Maintain Documentation
Include the information security strategy in the information security policy. CC ID 16125	Operational management	Establish/Maintain Documentation
Include a commitment to continuous improvement in the information security policy. CC ID 16123	Operational management	Establish/Maintain Documentation
Include roles and responsibilities in the information security policy. CC ID 16120	Operational management	Establish/Maintain Documentation
Include a commitment to the information security requirements in the information security policy. CC ID 13496	Operational management	Establish/Maintain Documentation
Include information security objectives in the information security policy. CC ID 13493	Operational management	Establish/Maintain Documentation
Include the use of Cloud Services in the information security policy. CC ID 13146	Operational management	Establish/Maintain Documentation
Include notification procedures in the information security policy. CC ID 16842	Operational management	Establish/Maintain Documentation
Approve the information security policy at the organization's management level or higher. CC ID 11737	Operational management	Process or Activity
Establish, implement, and maintain information security procedures. CC ID 12006	Operational management	Business Processes
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294	Operational management	Establish/Maintain Documentation
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303	Operational management	Communicate
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304	Operational management	Establish/Maintain Documentation
Define thresholds for approving information security activities in the information security program. CC ID 15702	Operational management	Process or Activity
Assign ownership of the information security program to the appropriate role. CC ID 00814	Operational management	Establish Roles
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884	Operational management	Human Resources Management
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885	Operational management	Establish/Maintain Documentation
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883	Operational management	Human Resources Management
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739	Operational management	Communicate
Establish, implement, and maintain a social media governance program. CC ID 06536	Operational management	Establish/Maintain Documentation
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011	Operational management	Business Processes
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009	Operational management	Business Processes
Refrain from accepting instant messages from unknown senders. CC ID 12537	Operational management	Behavior
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578	Operational management	Establish/Maintain Documentation
Include explicit restrictions in the social media acceptable use policy. CC ID 06655	Operational management	Establish/Maintain Documentation
Include contributive content sites in the social media acceptable use policy. CC ID 06656	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain operational control procedures. CC ID 00831 [Every provider of telecommunications billing services shall take administrative measures, including formulation of guidelines for work process and classification of accounts, and technical measures, including establishment of an information protection system, to secure safety and reliability of transactions through telecommunications billing services as prescribed by Presidential Decree. Article 57(2)]	Operational management	Establish/Maintain Documentation
Include assigning and approving operations in operational control procedures. CC ID 06382	Operational management	Establish/Maintain Documentation
Include startup processes in operational control procedures. CC ID 00833	Operational management	Establish/Maintain Documentation
Include change control processes in the operational control procedures. CC ID 16793	Operational management	Establish/Maintain Documentation
Establish and maintain a data processing run manual. CC ID 00832	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826	Operational management	Establish/Maintain Documentation
Use systems in accordance with the standard operating procedures manual. CC ID 15049	Operational management	Process or Activity
Include metrics in the standard operating procedures manual. CC ID 14988	Operational management	Establish/Maintain Documentation
Include maintenance measures in the standard operating procedures manual. CC ID 14986	Operational management	Establish/Maintain Documentation
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984	Operational management	Establish/Maintain Documentation
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982	Operational management	Establish/Maintain Documentation
Include predetermined changes in the standard operating procedures manual. CC ID 14977	Operational management	Establish/Maintain Documentation
Include specifications for input data in the standard operating procedures manual. CC ID 14975	Operational management	Establish/Maintain Documentation
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973	Operational management	Establish/Maintain Documentation
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972	Operational management	Establish/Maintain Documentation
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969	Operational management	Establish/Maintain Documentation
Include the intended purpose in the standard operating procedures manual. CC ID 14967	Operational management	Establish/Maintain Documentation
Include information on system performance in the standard operating procedures manual. CC ID 14965	Operational management	Establish/Maintain Documentation
Include contact details in the standard operating procedures manual. CC ID 14962	Operational management	Establish/Maintain Documentation
Include information sharing procedures in standard operating procedures. CC ID 12974	Operational management	Records Management
Establish, implement, and maintain information sharing agreements. CC ID 15645	Operational management	Business Processes
Provide support for information sharing activities. CC ID 15644	Operational management	Process or Activity
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328	Operational management	Business Processes
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026	Operational management	Communicate
Establish, implement, and maintain a job scheduling methodology. CC ID 00834	Operational management	Establish/Maintain Documentation
Establish and maintain a job schedule exceptions list. CC ID 00835	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a data processing continuity plan. CC ID 00836	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350	Operational management	Establish/Maintain Documentation
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351	Operational management	Establish/Maintain Documentation
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703	Operational management	Establish/Maintain Documentation
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708	Operational management	Establish/Maintain Documentation
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706	Operational management	Establish/Maintain Documentation
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293	Operational management	Establish/Maintain Documentation
Include a web usage policy in the Acceptable Use Policy. CC ID 16496	Operational management	Establish/Maintain Documentation
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352	Operational management	Establish/Maintain Documentation
Include asset tags in the Acceptable Use Policy. CC ID 01354	Operational management	Establish/Maintain Documentation
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699	Operational management	Establish/Maintain Documentation
Include asset use policies in the Acceptable Use Policy. CC ID 01355	Operational management	Establish/Maintain Documentation
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872	Operational management	Establish/Maintain Documentation
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353	Operational management	Establish/Maintain Documentation
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892	Operational management	Technical Security
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893	Operational management	Establish/Maintain Documentation
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772	Operational management	Data and Information Management
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356	Operational management	Establish/Maintain Documentation
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881	Operational management	Establish/Maintain Documentation
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357	Operational management	Establish/Maintain Documentation
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441	Operational management	Establish/Maintain Documentation
Include the usage restrictions of mobile code technologies in the Acceptable Use Policy. CC ID 15311	Operational management	Establish/Maintain Documentation
Include a software installation policy in the Acceptable Use Policy. CC ID 06749	Operational management	Establish/Maintain Documentation
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472	Operational management	Establish/Maintain Documentation
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431	Operational management	Communicate
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661	Operational management	Establish/Maintain Documentation
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075	Operational management	Business Processes
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512	Operational management	Establish/Maintain Documentation
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an e-mail policy. CC ID 06439	Operational management	Establish/Maintain Documentation
Include business use of personal e-mail in the e-mail policy. CC ID 14381	Operational management	Establish/Maintain Documentation
Identify the sender in all electronic messages. CC ID 13996	Operational management	Data and Information Management
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a Service Management System. CC ID 13889	Operational management	Business Processes
Establish, implement, and maintain a service management program. CC ID 11388 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2)]	Operational management	Establish/Maintain Documentation
Communicate the service management program to interested personnel and affected parties. CC ID 13904	Operational management	Communicate
Communicate service management release success or failures to interested personnel and affected parties, as necessary. CC ID 13927	Operational management	Communicate
Communicate the release dates of applicable services to interested personnel and affected parties. CC ID 13924	Operational management	Communicate
Include the implications of failing to comply with the Service Management System requirements in the communication plan for the service management program. CC ID 13909	Operational management	Communicate
Include the benefits of improved performance in the communication plan for the service management program. CC ID 13908	Operational management	Communicate
Include the importance of conforming to the Service Management System requirements in the communication plan for the service management program. CC ID 13907	Operational management	Communicate
Include a service management plan in the service management program. CC ID 13902	Operational management	Establish/Maintain Documentation
Include the information security policy in the service management program. CC ID 13925	Operational management	Establish/Maintain Documentation
Include the change management policy in the service management program. CC ID 13923	Operational management	Establish/Maintain Documentation
Include the service management objectives in the service management program. CC ID 11389	Operational management	Establish/Maintain Documentation
Include the service requirements in the service management program. CC ID 11390	Operational management	Establish/Maintain Documentation
Include known limitations in the service management program. CC ID 11391	Operational management	Establish/Maintain Documentation
Include service management policies in the service management program. CC ID 11392	Operational management	Establish/Maintain Documentation
Assign roles and responsibilities in the service management program. CC ID 11393	Operational management	Establish/Maintain Documentation
Include all resources needed to achieve the objectives in the service management program. CC ID 11394	Operational management	Establish/Maintain Documentation
Include supply chain management procedures in the service management program. CC ID 11395	Operational management	Establish/Maintain Documentation
Include service management procedures in the service management program. CC ID 11396	Operational management	Establish/Maintain Documentation
Include risk procedures in the service management program. CC ID 11397	Operational management	Establish/Maintain Documentation
Include continuity plans in the Service Management program. CC ID 13919	Operational management	Establish/Maintain Documentation
Include all technologies used to support service management in the service management program. CC ID 11398	Operational management	Establish/Maintain Documentation
Include auditing and improving service management procedures in the service management program. CC ID 11399	Operational management	Establish/Maintain Documentation
Disseminate and communicate the suspension period of suspended services to interested personnel and affected parties. CC ID 15459 [{relevant authority}{stipulated timeframe} When the identification service agency intends to suspend all or part of identification service, it shall determine and notify a suspension period to the users no later than 30 days prior to the intended date of suspension and shall report the same to the Korea Communications Commission. In this case, the suspension period shall not exceed six months. Article 23-3(2) {relevant authority} When the identification service agency intends to discontinue the identification affairs, it shall notify the intention to the users no later than 60 days prior to the intended date of discontinuation and shall report the same to the Korea Communications Commission. Article 23-3(3)]	Operational management	Communicate
Establish, implement, and maintain a customer service program. CC ID 00846	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Management program. CC ID 00853	Operational management	Business Processes
Include detection procedures in the Incident Management program. CC ID 00588	Operational management	Establish/Maintain Documentation
Record actions taken by investigators during a forensic investigation in the forensic investigation report. CC ID 07095	Operational management	Establish/Maintain Documentation
Comply with privacy regulations and civil liberties requirements when sharing data loss event information. CC ID 10036	Operational management	Data and Information Management
Notify interested personnel and affected parties of an extortion payment in the event of a cybersecurity event. CC ID 16539	Operational management	Communicate
Notify interested personnel and affected parties of the reasons for the extortion payment, along with any alternative solutions. CC ID 16538	Operational management	Communicate
Document the justification for not reporting incidents to interested personnel and affected parties. CC ID 16547	Operational management	Establish/Maintain Documentation
Report to breach notification organizations the reasons for a delay in sending breach notifications. CC ID 16797	Operational management	Communicate
Report to breach notification organizations the distribution list to which the organization will send data loss event notifications. CC ID 16782	Operational management	Communicate
Include data loss event notifications in the Incident Response program. CC ID 00364	Operational management	Establish/Maintain Documentation
Include required information in the written request to delay the notification to affected parties. CC ID 16785	Operational management	Establish/Maintain Documentation
Submit written requests to delay the notification of affected parties. CC ID 16783	Operational management	Communicate
Revoke the written request to delay the notification. CC ID 16843	Operational management	Process or Activity
Design the text of the notice for all incident response notifications to be no smaller than 10-point type. CC ID 12985	Operational management	Establish/Maintain Documentation
Refrain from charging for providing incident response notifications. CC ID 13876	Operational management	Business Processes
Title breach notifications "Notice of Data Breach". CC ID 12977	Operational management	Establish/Maintain Documentation
Display titles of incident response notifications clearly and conspicuously. CC ID 12986	Operational management	Establish/Maintain Documentation
Display headings in incident response notifications clearly and conspicuously. CC ID 12987	Operational management	Establish/Maintain Documentation
Design the incident response notification to call attention to its nature and significance. CC ID 12984	Operational management	Establish/Maintain Documentation
Use plain language to write incident response notifications. CC ID 12976	Operational management	Establish/Maintain Documentation
Include directions for changing the user's authenticator or security questions and answers in the breach notification. CC ID 12983	Operational management	Establish/Maintain Documentation
Refrain from including restricted information in the incident response notification. CC ID 16806	Operational management	Actionable Reports or Measurements
Include the affected parties rights in the incident response notification. CC ID 16811	Operational management	Establish/Maintain Documentation
Include details of the investigation in incident response notifications. CC ID 12296	Operational management	Establish/Maintain Documentation
Include the issuer's name in incident response notifications. CC ID 12062	Operational management	Establish/Maintain Documentation
Include a "What Happened" heading in breach notifications. CC ID 12978	Operational management	Establish/Maintain Documentation
Include a general description of the data loss event in incident response notifications. CC ID 04734 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Operational management	Establish/Maintain Documentation
Include time information in incident response notifications. CC ID 04745	Operational management	Establish/Maintain Documentation
Include the identification of the data source in incident response notifications. CC ID 12305	Operational management	Establish/Maintain Documentation
Include a "What Information Was Involved" heading in the breach notification. CC ID 12979	Operational management	Establish/Maintain Documentation
Include the type of information that was lost in incident response notifications. CC ID 04735 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Each item of the personal information leaked; Article 27-3(1)(1)]	Operational management	Establish/Maintain Documentation
Include the type of information the organization maintains about the affected parties in incident response notifications. CC ID 04776	Operational management	Establish/Maintain Documentation
Include a "What We Are Doing" heading in the breach notification. CC ID 12982	Operational management	Establish/Maintain Documentation
Include what the organization has done to enhance data protection controls in incident response notifications. CC ID 04736	Operational management	Establish/Maintain Documentation
Include what the organization is offering or has already done to assist affected parties in incident response notifications. CC ID 04737	Operational management	Establish/Maintain Documentation
Include a "For More Information" heading in breach notifications. CC ID 12981	Operational management	Establish/Maintain Documentation
Include details of the companies and persons involved in incident response notifications. CC ID 12295	Operational management	Establish/Maintain Documentation
Include the credit reporting agencies' contact information in incident response notifications. CC ID 04744	Operational management	Establish/Maintain Documentation
Include the reporting individual's contact information in incident response notifications. CC ID 12297	Operational management	Establish/Maintain Documentation
Include any consequences in the incident response notifications. CC ID 12604	Operational management	Establish/Maintain Documentation
Include whether the notification was delayed due to a law enforcement investigation in incident response notifications. CC ID 04746	Operational management	Establish/Maintain Documentation
Include a "What You Can Do" heading in the breach notification. CC ID 12980	Operational management	Establish/Maintain Documentation
Include contact information in incident response notifications. CC ID 04739 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Article 27-3(1)(5)]	Operational management	Establish/Maintain Documentation
Include a copy of the incident response notification in breach notifications, as necessary. CC ID 13085	Operational management	Communicate
Post the incident response notification on the organization's website. CC ID 16809	Operational management	Process or Activity
Document the determination for providing a substitute incident response notification. CC ID 16841	Operational management	Process or Activity
Send electronic substitute incident response notifications to affected parties, as necessary. CC ID 04747	Operational management	Behavior
Include contact information in the substitute incident response notification. CC ID 16776	Operational management	Establish/Maintain Documentation
Post substitute incident response notifications to the organization's website, as necessary. CC ID 04748	Operational management	Establish/Maintain Documentation
Send substitute incident response notifications to breach notification organizations, as necessary. CC ID 04750	Operational management	Behavior
Publish the substitute incident response notification in a general circulation periodical, as necessary. CC ID 04769	Operational management	Behavior
Include incident reporting procedures in the Incident Management program. CC ID 11772	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain incident reporting time frame standards. CC ID 12142 [{relevant authority}{stipulated timeframe} When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Article 27-3(1)]	Operational management	Communicate
Provide customer security advice, as necessary. CC ID 13674 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Measures available for users to take; Article 27-3(1)(3) A major provider of information and communications services may, if it is foreseen that a serious problem is likely to occur in the information system of a user who uses the services, the information and communications network, or similar provided by it because of an occurrence of a serious intrusion on its information and communications network, request the user to take necessary protective measures as stipulated by the standard user agreement, and may place a temporary restriction on access to the relevant information and communications network if the user does not perform as requested. Article 47-4(2)]	Operational management	Communicate
Use simple understandable language when providing customer security advice. CC ID 13685	Operational management	Communicate
Disseminate and communicate to customers the risks associated with transaction limits. CC ID 13686	Operational management	Communicate
Display customer security advice prominently. CC ID 13667	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain an Incident Response program. CC ID 00579	Operational management	Establish/Maintain Documentation
Create an incident response report following an incident response. CC ID 12700	Operational management	Establish/Maintain Documentation
Include information on all affected assets in the incident response report. CC ID 12718 [{relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2) {relevant authority} A person falling under any of the following subparagraphs shall furnish the Minister of Science, ICT and Future Planning or the Korea Internet and Security Agency with the information related to intrusion cases, including statistics by type of intrusion cases, statistics of traffic of the relevant information and communications network, and statistics of use by access channel, as prescribed by Presidential Decree: Article 48-2(2)]	Operational management	Establish/Maintain Documentation
Include the duration of the incident in the incident response report. CC ID 12716 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Operational management	Establish/Maintain Documentation
Include the reasons the incident occurred in the incident response report. CC ID 12711 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2)]	Operational management	Establish/Maintain Documentation
Include when the incident occurred in the incident response report. CC ID 12709 [A business operator of clustered information and communications facilities shall, when it suspends its services in accordance with paragraph (1), immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters. Article 46-2(2) {relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Point of time the personal information is leaked; Article 27-3(1)(2)]	Operational management	Establish/Maintain Documentation
Include corrective action taken to eradicate the incident in the incident response report. CC ID 12708 [{relevant authority}When a provider of information and communications services or similar becomes aware of the loss, theft, or leakage of personal information (hereinafter referred to as "leakages, etc."), he or she shall immediately inform the relevant users of all the following matters and report to the Korea Communications Commission or the Korea Internet Security Agency, and shall not notify or report them after 24 hours have elapsed since he or she became aware of such fact without any justifiable cause: Provided, That other measures in lieu of the aforementioned notification may be taken as prescribed by Presidential Decree where users' contact information is unknown or other good cause exists: Responsible departments and contact information to be used for the users who seek consultations, etc., to submit their application for such consultations. Countermeasures to be taken by a provider of information and communications services or similar; Article 27-3(1)(4)]	Operational management	Establish/Maintain Documentation
Include a root cause analysis of the incident in the incident response report. CC ID 12701 [{relevant authority}{loss}{theft}{leakage}{personal information} A provider of information and communications services, etc. shall explain just cause under the main sentence of and proviso to paragraph (1) to the Korea Communications Commission. Article 27-3(3)]	Operational management	Establish/Maintain Documentation
Mitigate reported incidents. CC ID 12973 [{mitigate} A person who operates an information and communications network, including a provider of information and communications services, shall analyze causes of intrusion and keep damage from intrusion at bay, whenever an intrusion occurs. Article 48-4(1)]	Operational management	Actionable Reports or Measurements
Establish, implement, and maintain an incident response plan. CC ID 12056 [A chief information protection officer shall be responsible for the following matters: Prevention of and response to an intrusion; Article 45-3(3)(3)]	Operational management	Establish/Maintain Documentation
Include addressing external communications in the incident response plan. CC ID 13351	Operational management	Establish/Maintain Documentation
Include addressing internal communications in the incident response plan. CC ID 13350	Operational management	Establish/Maintain Documentation
Include change control procedures in the incident response plan. CC ID 15479	Operational management	Establish/Maintain Documentation
Include addressing information sharing in the incident response plan. CC ID 13349	Operational management	Establish/Maintain Documentation
Include dynamic reconfiguration in the incident response plan. CC ID 14306	Operational management	Establish/Maintain Documentation
Include a definition of reportable incidents in the incident response plan. CC ID 14303	Operational management	Establish/Maintain Documentation
Include the management support needed for incident response in the incident response plan. CC ID 14300	Operational management	Establish/Maintain Documentation
Include root cause analysis in the incident response plan. CC ID 16423	Operational management	Establish/Maintain Documentation
Include how incident response fits into the organization in the incident response plan. CC ID 14294	Operational management	Establish/Maintain Documentation
Include the resources needed for incident response in the incident response plan. CC ID 14292	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a change control program. CC ID 00886	Operational management	Establish/Maintain Documentation
Establish, implement, and maintain a software release policy. CC ID 00893	Operational management	Establish/Maintain Documentation
Disseminate and communicate software update information to users and regulators. CC ID 06602 [{relevant authority} A software business operator under Article 2 of the Software Industry Promotion Act shall, when he or she produced a program that improves weaknesses in security, notify the Korea Internet and Security Agency of its production, and shall notify users of the software of the production at least twice within one month from the date of production. Article 47-4(3)]	Operational management	Behavior
Manage the creation of products and services, as necessary. CC ID 13497	Operational management	Business Processes
Delete age-restricted content, as necessary. CC ID 15450 [A provider of information and communications services shall, if there is any unwholesome medium for juvenile published in violation of the labeling method under Article 42 in the information and communications network operated and managed by him or her or if a content advertising any unwholesome medium for juvenile is displayed in such network without any measures to restrict access by juvenile under Article 42-2, delete such content without delay. Article 44-2(3)]	Operational management	Process or Activity
Establish, implement, and maintain procedures to manage age-restricted content. CC ID 15448 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3)]	Operational management	Establish/Maintain Documentation
Control the distribution of media containing age-restricted content, as necessary. CC ID 15446 [The person responsible for protection of juvenile shall block and control unwholesome information for juvenile in the information and communications network, and shall perform business affairs for protection of juvenile, including establishment of a plan for protection of juvenile from unwholesome information for juvenile. Article 42-3(3) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with an obscene content distributed, sold, rented, or displayed openly in the form of code, words, sound, image, or motion picture; Article 44-7(1)(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that falls within an unwholesome medium for juvenile under the Juvenile Protection Act and that is provided for profit without fulfilling the duties and obligations under relevant statutes, including the duty to verify the opposite party's age and the duty of labeling; Article 44-7(1)(5) {refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1]	Operational management	Process or Activity
Establish, implement, and maintain system hardening procedures. CC ID 12001	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain authenticators. CC ID 15305	System hardening through configuration management	Technical Security
Establish, implement, and maintain an authenticator standard. CC ID 01702	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain an authenticator management system. CC ID 12031	System hardening through configuration management	Establish/Maintain Documentation
Establish, implement, and maintain authenticator procedures. CC ID 12002 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for preventing fabrication and alteration of access records; Article 28(1)(3)]	System hardening through configuration management	Establish/Maintain Documentation
Restrict access to authentication files to authorized personnel, as necessary. CC ID 12127	System hardening through configuration management	Technical Security
Configure authenticators to comply with organizational standards. CC ID 06412	System hardening through configuration management	Configuration
Configure the system to require new users to change their authenticator on first use. CC ID 05268	System hardening through configuration management	Configuration
Configure authenticators so that group authenticators or shared authenticators are prohibited. CC ID 00519	System hardening through configuration management	Configuration
Configure the system to prevent unencrypted authenticator use. CC ID 04457	System hardening through configuration management	Configuration
Disable store passwords using reversible encryption. CC ID 01708	System hardening through configuration management	Configuration
Configure the system to encrypt authenticators. CC ID 06735	System hardening through configuration management	Configuration
Configure the system to mask authenticators. CC ID 02037	System hardening through configuration management	Configuration
Configure the authenticator policy to ban the use of usernames or user identifiers in authenticators. CC ID 05992	System hardening through configuration management	Configuration
Configure the "minimum number of digits required for new passwords" setting to organizational standards. CC ID 08717	System hardening through configuration management	Establish/Maintain Documentation
Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards. CC ID 08718	System hardening through configuration management	Establish/Maintain Documentation
Configure the system to refrain from specifying the type of information used as password hints. CC ID 13783	System hardening through configuration management	Configuration
Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards. CC ID 08719	System hardening through configuration management	Establish/Maintain Documentation
Disable machine account password changes. CC ID 01737	System hardening through configuration management	Configuration
Configure the "minimum number of special characters required for new passwords" setting to organizational standards. CC ID 08720	System hardening through configuration management	Establish/Maintain Documentation
Configure the "require new passwords to differ from old ones by the appropriate minimum number of characters" setting to organizational standards. CC ID 08722	System hardening through configuration management	Establish/Maintain Documentation
Configure the "password reuse" setting to organizational standards. CC ID 08724	System hardening through configuration management	Establish/Maintain Documentation
Configure the "Disable Remember Password" setting. CC ID 05270	System hardening through configuration management	Configuration
Configure the "Minimum password age" to organizational standards. CC ID 01703	System hardening through configuration management	Configuration
Configure the LILO/GRUB password. CC ID 01576	System hardening through configuration management	Configuration
Configure the system to use Apple's Keychain Access to store passwords and certificates. CC ID 04481	System hardening through configuration management	Configuration
Change the default password to Apple's Keychain. CC ID 04482	System hardening through configuration management	Configuration
Configure Apple's Keychain items to ask for the Keychain password. CC ID 04483	System hardening through configuration management	Configuration
Configure the Syskey Encryption Key and associated password. CC ID 05978	System hardening through configuration management	Configuration
Configure the "Accounts: Limit local account use of blank passwords to console logon only" setting. CC ID 04505	System hardening through configuration management	Configuration
Configure the "System cryptography: Force strong key protection for user keys stored in the computer" setting. CC ID 04534	System hardening through configuration management	Configuration
Configure interactive logon for accounts that do not have assigned authenticators in accordance with organizational standards. CC ID 05267	System hardening through configuration management	Configuration
Enable or disable remote connections from accounts with empty authenticators, as appropriate. CC ID 05269	System hardening through configuration management	Configuration
Configure the "Send LanMan compatible password" setting. CC ID 05271	System hardening through configuration management	Configuration
Configure the authenticator policy to ban or allow authenticators as words found in dictionaries, as appropriate. CC ID 05993	System hardening through configuration management	Configuration
Set the most number of characters required for the BitLocker Startup PIN correctly. CC ID 06054	System hardening through configuration management	Configuration
Set the default folder for BitLocker recovery passwords correctly. CC ID 06055	System hardening through configuration management	Configuration
Notify affected parties to keep authenticators confidential. CC ID 06787	System hardening through configuration management	Behavior
Discourage affected parties from recording authenticators. CC ID 06788	System hardening through configuration management	Behavior
Configure the "shadow password for all accounts in /etc/passwd" setting to organizational standards. CC ID 08721	System hardening through configuration management	Establish/Maintain Documentation
Configure the "password hashing algorithm" setting to organizational standards. CC ID 08723	System hardening through configuration management	Establish/Maintain Documentation
Configure the "Disable password strength validation for Peer Grouping" setting to organizational standards. CC ID 10866	System hardening through configuration management	Configuration
Configure the "Set the interval between synchronization retries for Password Synchronization" setting to organizational standards. CC ID 11185	System hardening through configuration management	Configuration
Configure the "Set the number of synchronization retries for servers running Password Synchronization" setting to organizational standards. CC ID 11187	System hardening through configuration management	Configuration
Configure the "Turn off password security in Input Panel" setting to organizational standards. CC ID 11296	System hardening through configuration management	Configuration
Configure the "Turn on the Windows to NIS password synchronization for users that have been migrated to Active Directory" setting to organizational standards. CC ID 11355	System hardening through configuration management	Configuration
Establish, implement, and maintain records management policies. CC ID 00903	Records management	Establish/Maintain Documentation
Determine how long to keep records and logs before disposing them. CC ID 11661	Records management	Process or Activity
Retain records in accordance with applicable requirements. CC ID 00968 [{be impossible} An information provider specified by Presidential Decree among those who engage in a business of providing unwholesome media for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in a way to make it impossible to store or record the unwholesome media in a user's computer shall keep relevant information. Article 43(1) Every provider of telecommunications billing services shall preserve records of telecommunications billing services during the period, within the limit of five years, prescribed by Presidential Decree. Article 58(4)]	Records management	Records Management
Establish, implement, and maintain records management procedures. CC ID 11619	Records management	Establish/Maintain Documentation
Establish, implement, and maintain data processing integrity controls. CC ID 00923 [Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks. Article 45(1)]	Records management	Establish Roles
Sanitize user input in accordance with organizational standards. CC ID 16856	Records management	Process or Activity
Establish, implement, and maintain Automated Data Processing validation checks and editing checks. CC ID 00924	Records management	Data and Information Management
Establish, implement, and maintain Automated Data Processing error handling procedures. CC ID 00925	Records management	Establish/Maintain Documentation
Establish, implement, and maintain Automated Data Processing error handling reporting. CC ID 11659	Records management	Establish/Maintain Documentation
Establish, implement, and maintain electronic storage media management procedures. CC ID 00931	Records management	Establish/Maintain Documentation
Establish, implement, and maintain security label procedures. CC ID 06747	Records management	Establish/Maintain Documentation
Establish, implement, and maintain restricted material identification procedures. CC ID 01889 [A person who provides information to the general public purposely to make it public through telecommunications services rendered by a telecommunications business operator (hereinafter referred to as "information provider") and who intends to provide any unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the Juvenile Protection Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act shall put a label indicating that the information is an unwholesome medium for juvenile by the labeling method specified by Presidential Decree. Article 42 ¶ 1]	Records management	Establish/Maintain Documentation
Conspicuously locate the restricted record's overall classification. CC ID 01890	Records management	Establish/Maintain Documentation
Mark a restricted record's displayed pages or printed pages with the appropriate classification. CC ID 01891	Records management	Establish/Maintain Documentation
Mark a restricted record's components (appendices, annexes) with the appropriate classification. CC ID 01892	Records management	Establish/Maintain Documentation
Mark a restricted record's portions (paragraphs, sections) with the appropriate classification. CC ID 01893	Records management	Establish/Maintain Documentation
Mark a restricted record's subject line or title with the appropriate classification. CC ID 01894	Records management	Establish/Maintain Documentation
Mark all forms of electronic messages that contain restricted data or restricted information with the appropriate classification. CC ID 01896	Records management	Data and Information Management
Establish, implement, and maintain online storage controls. CC ID 00942	Records management	Technical Security
Establish, implement, and maintain security controls appropriate to the record types and electronic storage media. CC ID 00943	Records management	Records Management
Provide encryption for different types of electronic storage media. CC ID 00945 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Measures for security by using encryption technology and other methods for safe storage and transmission of personal information; Article 28(1)(4)]	Records management	Technical Security
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267	Systems design, build, and implementation	Systems Design, Build, and Implementation
Develop systems in accordance with the system design specifications and system design standards. CC ID 01094	Systems design, build, and implementation	Systems Design, Build, and Implementation
Develop new products based on best practices. CC ID 01095	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain a system design specification. CC ID 04557	Systems design, build, and implementation	Establish/Maintain Documentation
Include security requirements in the system design specification. CC ID 06826 [{take into account} A provider of information and communications services shall, if he or she intends to newly establish an information and communications network or to provide information and communications services, take the matters regarding information protection into account in planning or designing thereof. Article 45-2(1)]	Systems design, build, and implementation	Systems Design, Build, and Implementation
Establish, implement, and maintain access control procedures for the test environment that match those of the production environment. CC ID 06793	Systems design, build, and implementation	Establish/Maintain Documentation
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain an electronic commerce program. CC ID 08617	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain payment transaction security measures. CC ID 13088 [A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: A plan for protection of users of telecommunications billing services; Article 53(1)(2) Every provider of telecommunications billing services shall perform his or her duty to pay attention as a good manager so that telecommunications billing services may be provided in a safe manner. Article 57(1)]	Acquisition or sale of facilities, technology, and services	Technical Security
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349	Acquisition or sale of facilities, technology, and services	Business Processes
Restrict transaction activities, as necessary. CC ID 16334	Acquisition or sale of facilities, technology, and services	Business Processes
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687	Acquisition or sale of facilities, technology, and services	Communicate
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683	Acquisition or sale of facilities, technology, and services	Business Processes
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682	Acquisition or sale of facilities, technology, and services	Business Processes
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671	Acquisition or sale of facilities, technology, and services	Business Processes
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182	Acquisition or sale of facilities, technology, and services	Establish/Maintain Documentation
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108	Acquisition or sale of facilities, technology, and services	Business Processes
Encrypt electronic commerce transactions and messages. CC ID 08621	Acquisition or sale of facilities, technology, and services	Configuration
Protect the integrity of application service transactions. CC ID 12017	Acquisition or sale of facilities, technology, and services	Business Processes
Include required information in electronic commerce transactions and messages. CC ID 15318	Acquisition or sale of facilities, technology, and services	Data and Information Management
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566	Acquisition or sale of facilities, technology, and services	Business Processes
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571	Acquisition or sale of facilities, technology, and services	Communicate
Bill and settle electronic commerce transactions. CC ID 08622	Acquisition or sale of facilities, technology, and services	Business Processes
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Date and time telecommunications billing services are used; Article 58(1)(1) When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Amount purchased/used through telecommunications billing services and details thereof; Article 58(1)(3) A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)]	Acquisition or sale of facilities, technology, and services	Data and Information Management
Withhold payment and settlement functions, as necessary. CC ID 15460 [A user of telecommunications billing services discovers that the telecommunications billing services have been rendered against his or her will, he or she may request the provider of telecommunications billing services to make corrections (excluding cases where there is an intentional act or negligence on the part of the user of the telecommunications billing services), and where the provider of telecommunications billing services finds that the user's request for making corrections is reasonable, he or she shall withhold the payment of the price for use to a seller and notify the user of the results thereof within two weeks from the date such correction was requested. Article 58(3)]	Acquisition or sale of facilities, technology, and services	Business Processes
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 [Where a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) provides telecommunications billing services or increases the upper limits of use, it shall obtain consent from a user of the relevant telecommunications billing services in advance. Article 58(5)]	Acquisition or sale of facilities, technology, and services	Behavior
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 [{unauthorized manipulation}The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Systematic and technical measures for preventing unlawful destruction or manipulation of information; Article 51(3)(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the roles and responsibilities of the organization's legal counsel in the privacy framework. CC ID 14862	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data transparency program. CC ID 00375	Privacy protection for information and data	Data and Information Management
Establish and maintain privacy notices, as necessary. CC ID 13443	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose of the privacy notice in the privacy notice. CC ID 13526	Privacy protection for information and data	Establish/Maintain Documentation
Include the processing purpose in the privacy notice. CC ID 16543	Privacy protection for information and data	Establish/Maintain Documentation
Include contact information in the privacy notice. CC ID 14432 [{be responsible}The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name and address of the person responsible for protection of personal information or the department responsible for business affairs related to the protection of personal information and processing related complaints and other contact information of such person or department. Article 27-2(2)(7)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's choices for data collection, data processing, data disclosure, and data retention in the privacy notice. CC ID 13503	Privacy protection for information and data	Establish/Maintain Documentation
Include the right to opt out of personal data disclosure in the privacy notice. CC ID 13460	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to opt out of personal data disclosure in the privacy notice. CC ID 13461	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to which personal data is disclosed in the privacy notice. CC ID 13459	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's policies, standards, and procedures in the privacy notice. CC ID 13455	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's privacy framework in the privacy notice, as necessary. CC ID 13456	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data collection categories in the privacy notice. CC ID 13457	Privacy protection for information and data	Establish/Maintain Documentation
Include disclosure exceptions in the privacy notice. CC ID 13447	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data disclosed in the privacy notice. CC ID 13446	Privacy protection for information and data	Establish/Maintain Documentation
Include descriptions of each type of personal data disclosed in the privacy notice. CC ID 13458	Privacy protection for information and data	Establish/Maintain Documentation
Specify the time frame that notice will be given. CC ID 00385	Privacy protection for information and data	Establish/Maintain Documentation
Include the information about the appeal process in the privacy notice. CC ID 15312 [{information}{violate}{right} Every provider of information and communications services shall clearly state the details, procedure, and other matters concerning necessary measures in its standardized agreement in advance. Article 44-2(5)]	Privacy protection for information and data	Establish/Maintain Documentation
Combine privacy notices into a joint notification with suppliers, as necessary. CC ID 13468	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from delivering privacy notices to data subjects, as necessary. CC ID 13445	Privacy protection for information and data	Communicate
Deliver privacy notices to data subjects, as necessary. CC ID 13444	Privacy protection for information and data	Communicate
Deliver a short-form initial notification along with an opt-out notice as an alternate to delivering a privacy notice, as necessary. CC ID 13464	Privacy protection for information and data	Establish/Maintain Documentation
Update privacy notices, as necessary. CC ID 13474	Privacy protection for information and data	Communicate
Redeliver privacy notices, as necessary. CC ID 14850	Privacy protection for information and data	Communicate
Deliver privacy notices to third parties, as necessary. CC ID 13473	Privacy protection for information and data	Communicate
Obtain acknowledgment of receipt of the privacy notice. CC ID 14435	Privacy protection for information and data	Communicate
Establish and maintain short-form initial notifications of privacy notices that are clear and conspicuous. CC ID 13466	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's privacy framework in the short-form initial notification, as necessary. CC ID 13472	Privacy protection for information and data	Establish/Maintain Documentation
Include the methodology for accessing the privacy notice in the short-form initial notification. CC ID 13471	Privacy protection for information and data	Establish/Maintain Documentation
Include that the privacy notice is available upon request in the short-form initial notification. CC ID 13470	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain opt-out notices. CC ID 13448	Privacy protection for information and data	Establish/Maintain Documentation
Include how opt out directions for joint consumers are treated in the opt-out notice. CC ID 13465	Privacy protection for information and data	Establish/Maintain Documentation
Include the opt out method for data subjects in the opt-out notice. CC ID 13467	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's right to opt out of personal data disclosure in the opt-out notice. CC ID 13463	Privacy protection for information and data	Establish/Maintain Documentation
Explain the right to opt out in the opt-out notice. CC ID 13462	Privacy protection for information and data	Establish/Maintain Documentation
Include the organization's right to share personal data in the opt-out notice. CC ID 13450	Privacy protection for information and data	Establish/Maintain Documentation
Deliver opt-out notices, as necessary. CC ID 13449	Privacy protection for information and data	Communicate
Include an initial privacy notification when delivering the opt-out notice. CC ID 13453	Privacy protection for information and data	Communicate
Provide a copy of the organization's privacy program to statutory authorities, as necessary. CC ID 12376	Privacy protection for information and data	Communicate
Affirm adequate protection of personal data to applicable statutory authorities if the organization is not a member of a privacy program. CC ID 12372	Privacy protection for information and data	Communicate
Notify statutory authorities of the organization's withdrawal from the privacy program. CC ID 12391	Privacy protection for information and data	Communicate
Notify statutory authorities about how restricted data will be handled following withdrawal from the privacy program. CC ID 16819	Privacy protection for information and data	Data and Information Management
Notify statutory authorities concerned with the privacy program if the surviving organization will continue in the privacy program. CC ID 12393	Privacy protection for information and data	Communicate
Notify data subjects about the organization's external requirements relevant to the privacy program. CC ID 12354	Privacy protection for information and data	Communicate
Provide the data subject with a notice of participation procedures. CC ID 06241	Privacy protection for information and data	Establish/Maintain Documentation
Deliver notices to the intended parties. CC ID 06240	Privacy protection for information and data	Data and Information Management
Notify data subjects about their privacy rights. CC ID 12989 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Rights of users and their legal representatives and methods for the exercise of such rights; Article 27-2(2)(5)]	Privacy protection for information and data	Communicate
Disseminate and communicate the critical third party list with relevance to the privacy program to all interested personnel and affected parties. CC ID 12352	Privacy protection for information and data	Communicate
Establish, implement, and maintain adequate openness procedures. CC ID 00377	Privacy protection for information and data	Data and Information Management
Provide public proof the organization participates in a privacy program. CC ID 12349	Privacy protection for information and data	Communicate
Publish a description of processing activities in an official register. CC ID 00379	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a records request manual. CC ID 00381	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a description of voluntary disclosure and automatic availability of certain records. CC ID 00382	Privacy protection for information and data	Establish/Maintain Documentation
Register with public bodies and notify the Data Commissioner before processing personal data. CC ID 00383 [{relevant authority} A person who intends to render telecommunications billing services shall meet the following requirements and complete registration with the Minister of Science, ICT and Future Planning as prescribed by Presidential Decree: Article 53(1)]	Privacy protection for information and data	Behavior
Define what is included in registration notices. CC ID 00386	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the registration notice. CC ID 16803	Privacy protection for information and data	Establish Roles
Include the verification method in the registration notice. CC ID 16798	Privacy protection for information and data	Establish/Maintain Documentation
Include the statutory authority in the registration notice. CC ID 16799	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the file or hardware supporting the data processing is located in the registration notice. CC ID 00387	Privacy protection for information and data	Establish/Maintain Documentation
Include a purpose specification description in the registration notice. CC ID 00388	Privacy protection for information and data	Establish/Maintain Documentation
Include information about the dispute resolution body in the registration notice. CC ID 16800	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject category being processed in the registration notice. CC ID 00389	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for data processing in the registration notice. CC ID 00390	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for when the registration notice for processing personal data is insufficient in the registration notice. CC ID 00392	Privacy protection for information and data	Establish/Maintain Documentation
Provide legal authorities access to personal data, upon request. CC ID 06818	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about automated decision-making during personal data processing. CC ID 12609	Privacy protection for information and data	Process or Activity
Provide the data subject with information about obtaining automated decision-making used during personal data processing. CC ID 12618	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address of the individual accountable for the organizational policies. CC ID 00394	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes. CC ID 00398	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with contractual requirements requiring the provision of personal data. CC ID 12588	Privacy protection for information and data	Process or Activity
Document the countries where restricted data may be stored. CC ID 12750	Privacy protection for information and data	Data and Information Management
Protect the rights of students and their parents or legal representatives. CC ID 00222	Privacy protection for information and data	Data and Information Management
Refrain from allowing access rights to education records maintained by another educational institution. CC ID 13014	Privacy protection for information and data	Technical Security
Refrain from allowing students the right to inspect the financial records of their parent or legal representative. CC ID 13025	Privacy protection for information and data	Records Management
Refrain from allowing students the right to inspect confidential letters and confidential letters of recommendation. CC ID 13019	Privacy protection for information and data	Records Management
Define the criteria for waivers of data subjects' rights. CC ID 16858	Privacy protection for information and data	Behavior
Revoke waivers of data subject's rights, as necessary. CC ID 16859	Privacy protection for information and data	Behavior
Disseminate and communicate the notification of rights to students and their parent or legal representative. CC ID 12996	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a legitimate educational interest in the notification of rights. CC ID 13004	Privacy protection for information and data	Establish/Maintain Documentation
Include the criteria for determining what constitutes a school official in the notification of rights. CC ID 13003	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data, as necessary. CC ID 00223	Privacy protection for information and data	Data and Information Management
Grant access to education records in support of educational program audits. CC ID 13032	Privacy protection for information and data	Records Management
Grant access to education records in support of external requirements. CC ID 13033	Privacy protection for information and data	Records Management
Disclose statements added to education records, as necessary. CC ID 12990	Privacy protection for information and data	Communicate
Obtain explicit consent from students or their parent or legal representative prior to using or disclosing educational data. CC ID 00220	Privacy protection for information and data	Data and Information Management
Disclose education records when written consent is received. CC ID 00224	Privacy protection for information and data	Data and Information Management
Specify the parties to whom education records may be disclosed in the written consent. CC ID 13002	Privacy protection for information and data	Establish/Maintain Documentation
Specify the purpose of the disclosure in the written consent. CC ID 13001	Privacy protection for information and data	Establish/Maintain Documentation
Specify which education records may be disclosed in the written consent. CC ID 13000	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions when consent is not required to disclose educational data. CC ID 00225	Privacy protection for information and data	Establish/Maintain Documentation
Disclose educational data absent consent when disclosure is in connection with a disciplinary proceeding. CC ID 13005	Privacy protection for information and data	Communicate
Refrain from disclosing disciplinary proceeding results unless the student has violated the institution's rules or policies. CC ID 13023	Privacy protection for information and data	Communicate
Disclose educational data absent consent when it concerns sex offenders. CC ID 13013	Privacy protection for information and data	Communicate
Disclose educational data absent consent to other school officials. CC ID 00226	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to another institution's school officials. CC ID 00227	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in connection with financial aid. CC ID 00229	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies on tests. CC ID 00230	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to organizations conducting studies if educational data is destroyed when no longer required. CC ID 12995	Privacy protection for information and data	Communicate
Disclose educational data absent consent to accrediting organizations. CC ID 00231	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a dependent student's parent or legal representative. CC ID 00232	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent in order to comply with a judicial order. CC ID 00233	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent for a health and safety emergency. CC ID 00234	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent when it is merely directory information. CC ID 00235	Privacy protection for information and data	Data and Information Management
Disclose educational data absent consent to a crime victim. CC ID 00236	Privacy protection for information and data	Data and Information Management
Record the health and safety threats of students when disclosing personal data. CC ID 12997	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from providing information to the data subject, as necessary. CC ID 12625 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services may, if it is difficult to judge whether information violates any right or it is anticipated that there will probably be a dispute between interested parties, take a measure to block access to the information temporarily (hereinafter referred to as "temporary measures"), irrespective of a request for deletion of the information under paragraph (1). In such cases, the period of time for the temporary measure shall not exceed 30 days. Article 44-2(4)]	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it is forbidden by law. CC ID 12651	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to statistical purposes. CC ID 12645	Privacy protection for information and data	Communicate
Provide the data subject with information about lifting any restriction of processing, as necessary. CC ID 12634	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to historical research purposes. CC ID 12633	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to scientific research purposes. CC ID 12632	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when it proves impossible due to archival purposes. CC ID 12631	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when providing information involves disproportionate effort. CC ID 12629	Privacy protection for information and data	Communicate
Refrain from providing information to the data subject when the data subject has the information. CC ID 12628	Privacy protection for information and data	Communicate
Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request. CC ID 00393 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the data retention period for personal data. CC ID 12587 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4)]	Privacy protection for information and data	Process or Activity
Provide the data subject with the criteria used to determine the data retention period for personal data. CC ID 12589	Privacy protection for information and data	Process or Activity
Provide the data subject with the adequacy decision. CC ID 12586	Privacy protection for information and data	Process or Activity
Provide the data subject with references to the appropriate safeguards used to protect the privacy of personal data. CC ID 12585	Privacy protection for information and data	Process or Activity
Provide the data subject with copies of the appropriate safeguards used to protect the privacy of personal data. CC ID 12608	Privacy protection for information and data	Process or Activity
Provide the data subject with the means of gaining access to personal data held by the organization. CC ID 00396	Privacy protection for information and data	Data and Information Management
Refrain from requiring the data subject to create an account in order to submit a consumer request. CC ID 13780	Privacy protection for information and data	Business Processes
Provide the data subject with the data protection officer's contact information. CC ID 12573	Privacy protection for information and data	Business Processes
Notify the data subject of the right to data portability. CC ID 12603	Privacy protection for information and data	Process or Activity
Provide the data subject with information about the right to erasure. CC ID 12602	Privacy protection for information and data	Process or Activity
Provide the data subject with a description of the type of information held by the organization and a general account of its use. CC ID 00397 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or similar falling under the standards determined by Presidential Decree shall periodically notify the users of the details of using personal information of such users (including details of the provision under Article 24-2 and of the entrustment of management of personal information under Article 25) in accordance with Article 22 and the proviso to Article 23 (1): Provided, That this shall not apply in cases where the provider of information and communications services or similar does not collect any contact information or other personal information that can be notified to users. Article 30-2(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with what personal data is made available to related organizations or subsidiaries. CC ID 00399 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: Items of the personal information transferred; Article 63(3)(1)]	Privacy protection for information and data	Data and Information Management
Include individual's names to whom restricted data may be disclosed in the disclosure accounting record. CC ID 13027	Privacy protection for information and data	Establish/Maintain Documentation
Establish and maintain a disclosure accounting record. CC ID 13022	Privacy protection for information and data	Establish/Maintain Documentation
Include the official authorities that are allowed to disclose restricted data absent consent in the disclosure accounting record. CC ID 13029	Privacy protection for information and data	Establish/Maintain Documentation
Include the legitimate interests for accessing restricted data in the disclosure accounting record. CC ID 13028	Privacy protection for information and data	Establish/Maintain Documentation
Include what information was disclosed and to whom in the disclosure accounting record. CC ID 04680 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the personal data the organization refrained from disclosing in the disclosure accounting record. CC ID 13769	Privacy protection for information and data	Establish/Maintain Documentation
Include the sale of personal data in the disclosure accounting record, as necessary. CC ID 13768	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure date in the disclosure accounting record. CC ID 07133	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure recipient in the disclosure accounting record. CC ID 07134 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The name (referring to the name of a legal corporation, if the person is a legal corporation; hereafter the same shall apply in this Article), address, and telephone number of a person to whom the personal information is to be transferred (hereinafter referred to as a "transferee of business or similar"), and other contact information of the person; Article 26(1)(2) If any personal information is transferred to a transferee of business, etc., he or she shall immediately notify the users of such fact and his or her name, domicile, telephone number and other contact details according to methods prescribed by Presidential Decree, such as the posting of such information on the Internet homepage or email. Article 26(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The name of the person to whom the personal information is to be transferred (referring to the name of a legal entity and the contact information of the person responsible for management of information, if the person is a legal entity); Article 63(3)(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the disclosure purpose in the disclosure accounting record. CC ID 07135	Privacy protection for information and data	Establish/Maintain Documentation
Include the frequency, periodicity, or number of disclosures made during the accounting period in the disclosure accounting record. CC ID 07136	Privacy protection for information and data	Establish/Maintain Documentation
Include the final date of multiple disclosures in the disclosure accounting record. CC ID 07137	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data was used for research purposes in the disclosure accounting record. CC ID 07138	Privacy protection for information and data	Establish/Maintain Documentation
Include the research activity or research protocol in the disclosure accounting record. CC ID 07139	Privacy protection for information and data	Establish/Maintain Documentation
Include the record selection criteria for research activities in the disclosure accounting record. CC ID 07140	Privacy protection for information and data	Establish/Maintain Documentation
Include the contact information of the organization that sponsored the research activity in the disclosure accounting record. CC ID 07141	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of third parties to whom restricted data may be disclosed in the disclosure accounting record. CC ID 16860	Privacy protection for information and data	Data and Information Management
Disseminate and communicate the disclosure accounting record to interested personnel and affected parties. CC ID 14433	Privacy protection for information and data	Communicate
Provide shareholders with electronic messages regarding the shareholder meetings. CC ID 04586	Privacy protection for information and data	Establish/Maintain Documentation
Provide shareholders access to electronic messages via electronic means. CC ID 11855	Privacy protection for information and data	Process or Activity
Make telephone directory information available to the public. CC ID 08698	Privacy protection for information and data	Establish/Maintain Documentation
Display warning screens and confirmation screens for all payment transactions. CC ID 06409	Privacy protection for information and data	Technical Security
Define the acceptable data modifications before presenting the data to a data subject. CC ID 00400	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with information about the legitimate interests associated with personal data processing. CC ID 12614	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain a privacy policy. CC ID 06281 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject's rights in the privacy policy. CC ID 16355	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a privacy policy model document. CC ID 14720	Privacy protection for information and data	Establish/Maintain Documentation
Notify interested personnel and affected parties when changes are made to the privacy policy. CC ID 06943 [{make aware} Every provider of information and communications services or similar shall, when he or she revises the policy on managing personal information under paragraph (1), give public notice of the reasons for and details of such revision without delay in a manner specified by Presidential Decree, and take measures to make users aware of the details of the revision easily at any time. Article 27-2(3)]	Privacy protection for information and data	Behavior
Document the notification of interested personnel and affected parties regarding privacy policy changes. CC ID 06944	Privacy protection for information and data	Establish/Maintain Documentation
Write privacy notices in the official languages required by law. CC ID 16529	Privacy protection for information and data	Establish/Maintain Documentation
Define what is included in the privacy policy. CC ID 00404	Privacy protection for information and data	Establish/Maintain Documentation
Define the information being collected in the privacy policy. CC ID 13115 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Define which collection of information is voluntary and which is required in the privacy policy. CC ID 13110	Privacy protection for information and data	Establish/Maintain Documentation
Include the means by which information is collected in the privacy policy. CC ID 13114 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the privacy policy. CC ID 14669	Privacy protection for information and data	Establish/Maintain Documentation
Include management commitment in the privacy policy. CC ID 14668	Privacy protection for information and data	Establish/Maintain Documentation
Include coordination amongst entities in the privacy policy. CC ID 14667	Privacy protection for information and data	Establish/Maintain Documentation
Include the policy for disclosing personal data of persons who have ceased to be customers in the privacy policy. CC ID 14854	Privacy protection for information and data	Establish/Maintain Documentation
Include compliance requirements in the privacy policy. CC ID 14666	Privacy protection for information and data	Establish/Maintain Documentation
Include the consequences of refusing to provide required information in the privacy policy. CC ID 13111	Privacy protection for information and data	Establish/Maintain Documentation
Include independent recourse mechanisms in the privacy policy, as necessary. CC ID 12366	Privacy protection for information and data	Establish/Maintain Documentation
Include the privacy programs the organization is a member of in the privacy policy. CC ID 12365	Privacy protection for information and data	Establish/Maintain Documentation
Include a complaint form in the privacy policy. CC ID 12364	Privacy protection for information and data	Establish/Maintain Documentation
Include the address where the files and hardware that support the data processing is located in the privacy policy. CC ID 00405	Privacy protection for information and data	Establish/Maintain Documentation
Include the processing purpose in the privacy policy. CC ID 00406 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)]	Privacy protection for information and data	Establish/Maintain Documentation
Include an overview of applicable information security controls in the privacy policy, as necessary. CC ID 13117	Privacy protection for information and data	Establish/Maintain Documentation
Include the data subject categories being processed in the privacy policy. CC ID 00407 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the retention period for collected information in the privacy policy. CC ID 13116 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the time period for when the data processing will be carried out in the privacy policy. CC ID 00408 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Include other organizations that personal data is being disclosed to in the privacy policy. CC ID 00409 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The name of the person (referring to the name of a legal entity, if the person is a legal entity) to whom personal information is furnished, if the personal information is furnished to a third party, purposes of use of the person to whom the personal information is furnished, and items of the personal information furnished; Article 27-2(2)(2) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Details of business affairs subject to the entrustment of management of personal information and the trustee (they shall be included in the policy on management, only where this subparagraph is applicable); Article 27-2(2)(4)]	Privacy protection for information and data	Establish/Maintain Documentation
Include how to gain access to personal data held by the organization in the privacy policy. CC ID 00410	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to opt-out in the privacy policy. CC ID 00411	Privacy protection for information and data	Establish/Maintain Documentation
Include the privacy policy's Uniform Resource Locator in the privacy policy. CC ID 12363	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions on how to disable devices that collect restricted data in the privacy policy. CC ID 15454 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Privacy protection for information and data	Establish/Maintain Documentation
Include a description of devices that collect restricted data in the privacy policy. CC ID 15452 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6) The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Matters concerning installation, operation, and denial of a device that collect personal information automatically, such as an information file for access to internet; Article 27-2(2)(6)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the audit method used to assess the privacy program in the privacy policy. CC ID 12390	Privacy protection for information and data	Establish/Maintain Documentation
Post the privacy policy in an easily seen location. CC ID 00401	Privacy protection for information and data	Establish/Maintain Documentation
Define who will receive the privacy policy. CC ID 00402	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy policy to interested personnel and affected parties. CC ID 13346 [Every provider of information and communications services or similar shall, when he or she manages personal information of users, establish and disclose its policy on managing personal information to the public in a manner specified by Presidential Decree so that users become aware of the policy easily at any time. Article 27-2(1)]	Privacy protection for information and data	Communicate
Establish, implement, and maintain privacy procedures. CC ID 14665	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy procedures to all interested personnel and affected parties. CC ID 14664	Privacy protection for information and data	Communicate
Establish, implement, and maintain a privacy plan. CC ID 14672	Privacy protection for information and data	Establish/Maintain Documentation
Align the enterprise architecture with the privacy plan. CC ID 14705	Privacy protection for information and data	Process or Activity
Approve the privacy plan. CC ID 14700	Privacy protection for information and data	Business Processes
Include privacy requirements in the privacy plan. CC ID 14699	Privacy protection for information and data	Establish/Maintain Documentation
Include the information types in the privacy plan. CC ID 14695	Privacy protection for information and data	Establish/Maintain Documentation
Include threats in the privacy plan. CC ID 14694	Privacy protection for information and data	Establish/Maintain Documentation
Include roles and responsibilities in the privacy plan. CC ID 14702	Privacy protection for information and data	Establish/Maintain Documentation
Include a description of the operational context in the privacy plan. CC ID 14692	Privacy protection for information and data	Establish/Maintain Documentation
Include risk assessment results in the privacy plan. CC ID 14701	Privacy protection for information and data	Establish/Maintain Documentation
Include the security categorizations and rationale in the privacy plan. CC ID 14690	Privacy protection for information and data	Establish/Maintain Documentation
Include security controls in the privacy plan. CC ID 14681	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy plan to interested personnel and affected parties. CC ID 14680	Privacy protection for information and data	Communicate
Include a description of the operational environment in the privacy plan. CC ID 14679	Privacy protection for information and data	Establish/Maintain Documentation
Include network diagrams in the privacy plan. CC ID 14678	Privacy protection for information and data	Establish/Maintain Documentation
Include the results of the privacy risk assessment in the privacy plan. CC ID 14677	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a privacy report. CC ID 14754	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the privacy report to interested personnel and affected parties. CC ID 14761	Privacy protection for information and data	Communicate
Protect private communications in keeping with compliance requirements. CC ID 14334	Privacy protection for information and data	Business Processes
Establish, implement, and maintain personal data choice and consent program. CC ID 12569 [A person who obtains consent to receive advertising information pursuant to paragraph (1) or (3) shall regularly verify whether an addressee of advertising information consents to receive such information, as prescribed by Presidential Decree. Article 50(8)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data request procedures. CC ID 16546	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from discriminating against data subjects who have exercised privacy rights. CC ID 13435 [{refrain from refusing}{do not consent}{not necessary} No provider of information and communications services shall refuse to provide the relevant services to users on the ground that the users give no consent to the establishment of access authority not certainly necessary to provide the relevant services. Article 22-2(2) {refrain from refusing} No provider of information and communications services shall refuse to provide such services on the ground that a user does not provide personal information other than the minimum personal information required. In such cases, the minimum personal information required means information that is specifically required to perform essential functions of the relevant services. Article 23(3) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)]	Privacy protection for information and data	Human Resources Management
Refrain from charging a fee to implement an opt-out request. CC ID 13877 [A person who transmits advertising information for profit by using an electronic transmission medium shall take necessary measures so that an addressee does not incur any cost, such as telephone charges, when the addressee refuses to receive or revokes his or her consent to receive such information, as prescribed by Presidential Decree. Article 50(6)]	Privacy protection for information and data	Business Processes
Establish and maintain disclosure authorization forms for authorization of consent to use personal data. CC ID 13433 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Include procedures for revoking authorization of consent to use personal data in the disclosure authorization form. CC ID 13438 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the identity of the person seeking consent in the disclosure authorization. CC ID 13999	Privacy protection for information and data	Establish/Maintain Documentation
Include the recipients of the disclosed personal data in the disclosure authorization form. CC ID 13440	Privacy protection for information and data	Establish/Maintain Documentation
Include the signature of the data subject and the signing date in the disclosure authorization form. CC ID 13439	Privacy protection for information and data	Establish/Maintain Documentation
Include the identity of the data subject in the disclosure authorization form. CC ID 13436	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of personal data to be disclosed in the disclosure authorization form. CC ID 13442	Privacy protection for information and data	Establish/Maintain Documentation
Include how personal data will be used in the disclosure authorization form. CC ID 13441	Privacy protection for information and data	Establish/Maintain Documentation
Include agreement termination information in the disclosure authorization form. CC ID 13437	Privacy protection for information and data	Establish/Maintain Documentation
Offer incentives for consumers to opt-in to provide their personal data to the organization. CC ID 13781	Privacy protection for information and data	Business Processes
Refrain from using coercive financial incentive programs to entice opt-in consent. CC ID 13795	Privacy protection for information and data	Business Processes
Allow data subjects to opt out and refrain from granting an authorization of consent to use personal data. CC ID 00391 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The methods and procedures available for revocation of consent, where a user does not want his or her personal information transferred to a third party. Article 26(1)(3) Every user may, at any time, revoke his or her consent given to a provider of information and communications services or similar to allow the provider to collect, use, or furnish his or her personal information. Article 30(1) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the user has given a consent to he provider of information and communications services or similar to collect, use, or furnish his or her personal information. Article 30(2)(3) {not necessary}{do not consent}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Fact that users may give no consent to the permission on access authority. Article 22-2(1)(2)(c)]	Privacy protection for information and data	Data and Information Management
Treat an opt-out direction by an individual joint consumer as applying to all associated joint consumers. CC ID 13452	Privacy protection for information and data	Business Processes
Treat opt-out directions separately for each customer relationship the data subject establishes with the organization. CC ID 13454	Privacy protection for information and data	Business Processes
Establish, implement, and maintain an opt-out method in accordance with organizational standards. CC ID 16526	Privacy protection for information and data	Data and Information Management
Comply with opt-out directions by the data subject, unless otherwise directed by compliance requirements. CC ID 13451	Privacy protection for information and data	Business Processes
Confirm the individual's identity before granting an opt-out request. CC ID 16813	Privacy protection for information and data	Process or Activity
Highlight the section regarding data subject's consent from other sections in contracts and agreements. CC ID 13988	Privacy protection for information and data	Establish/Maintain Documentation
Allow consent requests to be provided in any official languages. CC ID 16530	Privacy protection for information and data	Business Processes
Notify interested personnel and affected parties of the reasons the opt-out request was refused. CC ID 16537	Privacy protection for information and data	Communicate
Collect and retain disclosure authorizations for each data subject. CC ID 13434	Privacy protection for information and data	Records Management
Refrain from requiring consent to collect, use, or disclose personal data beyond specified, legitimate reasons in order to receive products and services. CC ID 13605	Privacy protection for information and data	Data and Information Management
Refrain from obtaining consent through deception. CC ID 13556	Privacy protection for information and data	Data and Information Management
Give individuals the ability to change the uses of their personal data. CC ID 00469 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2)]	Privacy protection for information and data	Data and Information Management
Notify data subjects of the implications of withdrawing consent. CC ID 13551 [Where an addressee gives prior consent under paragraph (1) or expresses his or her intention to refuse to receive or revoke his or her consent to receive advertising information under paragraph (2), a person who intends to transmit advertising information for profit by using an electronic transmission medium shall inform the relevant addressee of the outcomes of measures taken in relation to consent to receive, refusal to receive, or revocation of consent to receive advertising information, as prescribed by Presidential Decree. Article 50(7)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data accountability program. CC ID 13432	Privacy protection for information and data	Establish/Maintain Documentation
Assign ownership of the privacy program to the appropriate organizational role. CC ID 11848	Privacy protection for information and data	Human Resources Management
Require data controllers to be accountable for their actions. CC ID 00470	Privacy protection for information and data	Establish Roles
Bind data controllers to secrecy concerning the performance of their duties. CC ID 12610	Privacy protection for information and data	Human Resources Management
Notify the supervisory authority. CC ID 00472 [{relevant authority}{collection}{personal data} A provider of information and communications services shall, whenever it discovers a violation of paragraph (1), immediately report it to the Minister of Science, Information and Communications Technology (ICT) and Future Planning, the Korea Communications Commission, or the Korea Internet and Security Agency. Article 49-2(2)]	Privacy protection for information and data	Behavior
Establish, implement, and maintain approval applications. CC ID 16778	Privacy protection for information and data	Establish/Maintain Documentation
Define the requirements for approving or denying approval applications. CC ID 16780	Privacy protection for information and data	Business Processes
Submit approval applications to the supervisory authority. CC ID 16627	Privacy protection for information and data	Communicate
Include required information in the approval application. CC ID 16628	Privacy protection for information and data	Establish/Maintain Documentation
Extend the time limit for approving or denying approval applications. CC ID 16779	Privacy protection for information and data	Business Processes
Approve the approval application unless applicant has been convicted. CC ID 16603	Privacy protection for information and data	Process or Activity
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606	Privacy protection for information and data	Process or Activity
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605	Privacy protection for information and data	Communicate
Cooperate with Data Protection Authorities. CC ID 06870	Privacy protection for information and data	Data and Information Management
Submit a safe harbor self-certification letter. CC ID 06871	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from engaging other data processors absent written authorization from the data controller. CC ID 12647	Privacy protection for information and data	Human Resources Management
Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data. CC ID 12584	Privacy protection for information and data	Establish/Maintain Documentation
Include cooperation mechanisms with the supervisory authority in the Binding Corporate Rules. CC ID 12682	Privacy protection for information and data	Establish/Maintain Documentation
Include the tasks assigned to the role of data controller in the Binding Corporate Rules. CC ID 12612	Privacy protection for information and data	Establish/Maintain Documentation
Include data subject's rights in the Binding Corporate Rules. CC ID 12596	Privacy protection for information and data	Establish/Maintain Documentation
Include the means to exercise the data subject's rights in the Binding Corporate Rules. CC ID 12597	Privacy protection for information and data	Establish/Maintain Documentation
Include the organizational structure and contact information in the Binding Corporate Rules. CC ID 12595	Privacy protection for information and data	Establish/Maintain Documentation
Include the acceptance of liability for breaches of the binding corporate rules in the Binding Corporate Rules. CC ID 12594	Privacy protection for information and data	Establish/Maintain Documentation
Include the mechanisms for reporting legal requirements causing adverse effects on protecting restricted data in the Binding Corporate Rules. CC ID 12620	Privacy protection for information and data	Establish/Maintain Documentation
Include provisions for providing information on the binding corporate rules to the data subject in the Binding Corporate Rules. CC ID 12593	Privacy protection for information and data	Establish/Maintain Documentation
Include reporting changes to the binding corporate rules in the Binding Corporate Rules. CC ID 12591	Privacy protection for information and data	Establish/Maintain Documentation
Include reporting changes of the binding corporate rules to the supervisory authority in the Binding Corporate Rules. CC ID 12592	Privacy protection for information and data	Establish/Maintain Documentation
Include complaint procedures in the Binding Corporate Rules. CC ID 12613	Privacy protection for information and data	Establish/Maintain Documentation
Include the data transfers in the Binding Corporate Rules. CC ID 12590	Privacy protection for information and data	Establish/Maintain Documentation
Include specifying the mechanisms for verifying compliance of the binding corporate rules in the Binding Corporate Rules. CC ID 12662	Privacy protection for information and data	Establish/Maintain Documentation
Include the identification of the countries in question for the data transfers in the Binding Corporate Rules. CC ID 12601	Privacy protection for information and data	Establish/Maintain Documentation
Include the type of data subjects affected by the data transfers in the Binding Corporate Rules. CC ID 12600	Privacy protection for information and data	Establish/Maintain Documentation
Include all pertinent data processing information for data transfers in the Binding Corporate Rules. CC ID 12599	Privacy protection for information and data	Establish/Maintain Documentation
Include the categories of personal data for data transfers in the Binding Corporate Rules. CC ID 12598	Privacy protection for information and data	Establish/Maintain Documentation
Include specifying the legally binding nature of the binding corporate rules in the Binding Corporate Rules. CC ID 12627	Privacy protection for information and data	Establish/Maintain Documentation
Include privacy awareness and training in the Binding Corporate Rules. CC ID 12626	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data controller of any changes in data processors. CC ID 12648	Privacy protection for information and data	Communicate
Establish, implement, and maintain Data Processing Contracts. CC ID 12650 [A provider, etc. of information and communications shall, when entrusting a trustee with management of personal information, do so in writing. Article 25(6)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the corrective actions to be taken when conditions cannot be met in the Data Processing Contract. CC ID 16812	Privacy protection for information and data	Establish/Maintain Documentation
Include data processor confidentiality requirements in the Data Processing Contract. CC ID 12685	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of notifying the data controller of legal requirements prior to processing restricted data unless the law prohibits such information on important grounds of public interest in the Data Processing Contract. CC ID 12687	Privacy protection for information and data	Establish/Maintain Documentation
Include instructions for processing restricted data in the Data Processing Contract. CC ID 14938	Privacy protection for information and data	Establish/Maintain Documentation
Include the purpose for processing restricted data in the Data Processing Contract. CC ID 14937 [A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the types of restricted data subject to processing in the Data Processing Contract. CC ID 14936	Privacy protection for information and data	Establish/Maintain Documentation
Include the duration of processing in the Data Processing Contract. CC ID 14935	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data transfer procedures in the Data Processing Contract. CC ID 12683	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of allowing auditing for compliance in the Data Processing Contract. CC ID 12679	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the Statement of Compliance will be made available in the Data Processing Contract. CC ID 12678	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation of complying with external requirements in the Data Processing Contract. CC ID 12676	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that the data processor will respect the conditions for engaging another data processor in the Data Processing Contract. CC ID 12686	Privacy protection for information and data	Human Resources Management
Include the stipulation that copies of restricted data will be disposed, unless retention is required by law, in the Data Processing Contract. CC ID 12670	Privacy protection for information and data	Establish/Maintain Documentation
Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract. CC ID 12669	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use limitation program. CC ID 13428	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use purpose specification. CC ID 00093	Privacy protection for information and data	Establish/Maintain Documentation
Display or print the least amount of personal data necessary. CC ID 04643	Privacy protection for information and data	Data and Information Management
Redact confidential information from public information, as necessary. CC ID 06872	Privacy protection for information and data	Data and Information Management
Notify the data subject of the collection purpose. CC ID 00095 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1) A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Privacy protection for information and data	Behavior
Refrain from using restricted data collected for research and statistics for other purposes. CC ID 00096	Privacy protection for information and data	Data and Information Management
Document the law that requires restricted data to be collected. CC ID 00103	Privacy protection for information and data	Establish/Maintain Documentation
Notify the data subject of the consequences for not providing personal data. CC ID 00104	Privacy protection for information and data	Behavior
Notify the data subject of changes to personal data use. CC ID 00105 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Period of time during which he or she intends to possess and use the personal information. Article 22(1)(3) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Items of personal information that he or she intends to collect; Article 22(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)]	Privacy protection for information and data	Behavior
Establish, implement, and maintain data use change of purpose procedures. CC ID 00106	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of publicly accessible personal data as an acceptable secondary purpose. CC ID 00108	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of privacy-related data as acceptable if the information being used is publicly available information, the secondary use is marketing, and it is not practical to seek consent from the individual before use. CC ID 00110	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject is not charged to request to opt out of direct marketing communications. CC ID 00111	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject has not requested to opt out of direct marketing communications. CC ID 00112	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization highlights the opt out option during each direct marketing communication. CC ID 00113	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the organization displays contact information in each written direct marketing communication. CC ID 00114	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data subject gives consent. CC ID 00115	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is Individually Identifiable Health Information used for research. CC ID 00116	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is used for statistical research, scholarly research, or scientific research and the data subject is anonymous. CC ID 00117	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the data controller believes the use is necessary to prevent a life-threatening emergency. CC ID 00118	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when required by law. CC ID 00119	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the personal data is necessary for public emergencies, public health and safety, or individual emergencies. CC ID 00121	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when the primary purpose is directly related to the secondary purpose. CC ID 00123	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for the enforcement of care and custody. CC ID 15453	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of data as an acceptable secondary purpose when it is necessary for use in a legal proceeding. CC ID 15451	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary for a law enforcement investigation. CC ID 15449	Privacy protection for information and data	Establish/Maintain Documentation
Document the use of personal data as an acceptable secondary purpose when it is necessary to perform a treaty with a foreign government. CC ID 15447	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent when the personal data use changes. CC ID 11832 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3)]	Privacy protection for information and data	Behavior
Document restricted data that is disclosed for an acceptable secondary purpose. CC ID 00124	Privacy protection for information and data	Establish/Maintain Documentation
Dispose of media and restricted data in a timely manner. CC ID 00125 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1)]	Privacy protection for information and data	Data and Information Management
Refrain from destroying records being inspected or reviewed. CC ID 13015	Privacy protection for information and data	Records Management
Notify the data subject after their personal data is disposed, as necessary. CC ID 13502 [{stipulated timeframe} The provider, etc. of information and communications services shall notify , until 30 days before expiration of the period under paragraph (2), the users of the matters prescribed by Presidential Decree such as the fact that the personal information will be destroyed, the expiration date of the period and items of personal information subject to destruction, in a manner prescribed by Presidential Decree such as by email. Article 29(3)]	Privacy protection for information and data	Communicate
Establish, implement, and maintain data access procedures. CC ID 00414 [Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Allow data subjects to submit data requests. CC ID 16545	Privacy protection for information and data	Process or Activity
Provide individuals with information about where their personal data was processed. CC ID 00415	Privacy protection for information and data	Data and Information Management
Provide individuals with information about the processing purpose of their personal data. CC ID 00416 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: The purposes of use of the person to whom the personal information is to be transferred, and the period of time for possession and use of the personal information. Article 63(3)(4) A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Purposes of collection and use of the personal information; Article 22(1)(1)]	Privacy protection for information and data	Data and Information Management
Provide individuals with information about disclosure of their personal data. CC ID 00417	Privacy protection for information and data	Data and Information Management
Allow guardians and legal representatives access to personal data about the individual for whom they are guardians or legal representatives. CC ID 00418	Privacy protection for information and data	Data and Information Management
Provide assistance to requesters in preparing data access requests. CC ID 13588	Privacy protection for information and data	Data and Information Management
Require data access requests to be in writing, unless the requester is unable. CC ID 00420	Privacy protection for information and data	Establish/Maintain Documentation
Define what is to be included in a data access request. CC ID 08699	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from requiring data subjects having to justify personal data access requests. CC ID 12394	Privacy protection for information and data	Business Processes
Respond to data access requests in a timely manner. CC ID 00421 [{personal information} A provider of information and communications services or similar shall, in receipt of a request to peruse or furnish matters in accordance with paragraph (2), take necessary measures without delay. Article 30(4)]	Privacy protection for information and data	Behavior
Delay responding to data access requests, as necessary. CC ID 15504	Privacy protection for information and data	Data and Information Management
Expedite the processing of data access requests, as necessary. CC ID 15496	Privacy protection for information and data	Data and Information Management
Grant a waiver or reduction of fees for data access under defined conditions. CC ID 15502	Privacy protection for information and data	Business Processes
Define what is included in a request for a waiver or reduction of fees. CC ID 15522	Privacy protection for information and data	Process or Activity
Deliver the records described in the personal data access request, as necessary. CC ID 08701	Privacy protection for information and data	Establish/Maintain Documentation
Provide individuals with an estimate of how much data was withheld from the data access request. CC ID 15503	Privacy protection for information and data	Data and Information Management
Document the outcome of the personal data access request review procedure. CC ID 00455	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary. CC ID 11811 [{be easy}{procedure} A provider of information and communications services or similar shall make how to revoke consent under paragraph (1), how to request to peruse personal information or furnish such information under paragraph (2), and how to request correction of an error, easier than how to collect personal information. Article 30(6) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Details of which the provider of information and communications services or similar has used personal information of the user or furnished it to a third party; Article 30(2)(2) Every user may request a provider of information and communications services or similar to allow him or her to peruse, or to furnish with any of the following subparagraphs, and may also require the provider to correct an error, if there is any error: Personal information of the user, which the provider of information and communications services or similar possesses; Article 30(2)(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Submit personal data removal requests in writing. CC ID 11973	Privacy protection for information and data	Records Management
Include a liability waiver for any harm caused by the exclusion of personal data in the personal data removal request. CC ID 11975	Privacy protection for information and data	Establish/Maintain Documentation
Notify third parties of data access requests that relates to the third party. CC ID 08703	Privacy protection for information and data	Establish/Maintain Documentation
Allow affected third parties to consent or object to a data access request. CC ID 08704	Privacy protection for information and data	Process or Activity
Establish, implement, and maintain restricted data use limitation procedures. CC ID 00128 [{refrain from using}{be different} No provider of information and communications services may use personal information collected in accordance with Article 22 and the proviso to Article 23 (1) for any purpose other than the purpose consented by the relevant user or the purpose specified in any subparagraph of Article 22 (2). Article 24 ¶ 1]	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the processing of personal data will have on the data subject. CC ID 15299	Privacy protection for information and data	Data and Information Management
Disclose de-identified data, as necessary. CC ID 13034	Privacy protection for information and data	Communicate
Notify the data subject after personal data is used or disclosed. CC ID 06247	Privacy protection for information and data	Behavior
Refrain from processing restricted data, as necessary. CC ID 12551 [{refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Records Management
Refrain from processing restricted data if the restricted data is involved in a legal claim. CC ID 12668	Privacy protection for information and data	Process or Activity
Refrain from providing information to the data subject when the organization cannot identify the data subject. CC ID 12667	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data when the data subject consents to retention. CC ID 14326	Privacy protection for information and data	Business Processes
Refrain from erasing personal data upon data subject request when personal data processing is necessary for statistical purposes. CC ID 12656	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for historical research purposes. CC ID 12655	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for scientific research purposes. CC ID 12654	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for exercising freedom of expression. CC ID 12684	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when it is used to provide a service. CC ID 13779	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for archival purposes. CC ID 12653	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is for compliance with a legal obligation. CC ID 12652	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing is necessary for the public interest. CC ID 12649	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon data subject request when personal data processing concerns legal claims. CC ID 12644	Privacy protection for information and data	Process or Activity
Refrain from processing personal data when it is likely to cause unlawful discrimination or arbitrary discrimination. CC ID 00197	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it is used for behavioral monitoring. CC ID 16528	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data when it reveals trade union membership. CC ID 12583	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sexual orientation. CC ID 12582	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it concerns an individual's sex life. CC ID 12581	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it contains Individually Identifiable Health Information. CC ID 12580	Privacy protection for information and data	Business Processes
Refrain from processing personal data when biometric data is used for the purpose of identifying an individual. CC ID 12579	Privacy protection for information and data	Business Processes
Refrain from processing personal data when the genetic data is used for the purpose of identifying individuals. CC ID 12578	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals philosophical beliefs. CC ID 12577	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals religious beliefs. CC ID 12576	Privacy protection for information and data	Business Processes
Refrain from processing personal data when it reveals political opinions. CC ID 12575	Privacy protection for information and data	Business Processes
Refrain from processing personal data if it reveals ethnic origin. CC ID 12574	Privacy protection for information and data	Business Processes
Refrain from processing personal data if the data subject opposes the data erasure of personal data. CC ID 12619	Privacy protection for information and data	Process or Activity
Establish and maintain a record of processing activities when processing restricted data. CC ID 12636	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the data processor employs a limited number of persons. CC ID 13378	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the personal data relates to criminal records. CC ID 13377	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if the data being processed is restricted data. CC ID 13376	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from maintaining a record of processing activities if it could result in a risk to the data subject's rights or data subject's freedom. CC ID 13375	Privacy protection for information and data	Establish/Maintain Documentation
Include the data protection officer's contact information in the record of processing activities. CC ID 12640	Privacy protection for information and data	Records Management
Include the data processor's contact information in the record of processing activities. CC ID 12657	Privacy protection for information and data	Records Management
Include the data processor's representative's contact information in the record of processing activities. CC ID 12658	Privacy protection for information and data	Records Management
Include a general description of the implemented security measures in the record of processing activities. CC ID 12641	Privacy protection for information and data	Records Management
Include a description of the data subject categories in the record of processing activities. CC ID 12659	Privacy protection for information and data	Records Management
Include the purpose of processing restricted data in the record of processing activities. CC ID 12663	Privacy protection for information and data	Records Management
Include the personal data processing categories in the record of processing activities. CC ID 12661	Privacy protection for information and data	Records Management
Include the time limits for erasing each data category in the record of processing activities. CC ID 12690	Privacy protection for information and data	Records Management
Include the data recipient categories to whom restricted data has been or will be disclosed in the record of processing activities. CC ID 12664	Privacy protection for information and data	Records Management
Include a description of the personal data categories in the record of processing activities. CC ID 12660	Privacy protection for information and data	Records Management
Include the joint data controller's contact information in the record of processing activities. CC ID 12639	Privacy protection for information and data	Records Management
Include the data controller's representative's contact information in the record of processing activities. CC ID 12638	Privacy protection for information and data	Records Management
Include documentation of the transferee's safeguards for transferring restricted data in the record of processing activities. CC ID 12643	Privacy protection for information and data	Records Management
Include the identification of transferees for transferring restricted data in the record of processing activities. CC ID 12642	Privacy protection for information and data	Records Management
Include the data controller's contact information in the record of processing activities. CC ID 12637	Privacy protection for information and data	Records Management
Process restricted data lawfully and carefully. CC ID 00086 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)]	Privacy protection for information and data	Establish Roles
Implement technical controls that limit processing restricted data for specific purposes. CC ID 12646	Privacy protection for information and data	Technical Security
Process personal data pertaining to a patient's health in order to treat those patients. CC ID 00200	Privacy protection for information and data	Data and Information Management
Refrain from disclosing Individually Identifiable Health Information when in violation of territorial or federal law. CC ID 11966	Privacy protection for information and data	Records Management
Document the conditions for the use or disclosure of Individually Identifiable Health Information by a covered entity to another covered entity. CC ID 00210	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information for a covered entity's own use. CC ID 00211	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for a healthcare provider's treatment activities by a covered entity. CC ID 00212	Privacy protection for information and data	Data and Information Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted with the consent of the data subject. CC ID 11970	Privacy protection for information and data	Records Management
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is to support the treatment of the individual. CC ID 11969	Privacy protection for information and data	Process or Activity
Rely upon the warranty of the covered entity that the record disclosure request for Individually Identifiable Health Information is permitted by law. CC ID 11976	Privacy protection for information and data	Records Management
Disclose Individually Identifiable Health Information for payment activities between covered entities or healthcare providers. CC ID 00213	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities when both covered entities have a relationship with the data subject. CC ID 00214	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for Treatment, Payment, and Health Care Operations activities between a covered entity and a participating healthcare provider when the information is collected from the data subject and a third party. CC ID 00215	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with agreed upon restrictions. CC ID 06249	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in accordance with the privacy notice. CC ID 06250	Privacy protection for information and data	Data and Information Management
Disclose permitted Individually Identifiable Health Information for facility directories. CC ID 06251	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for cadaveric organ donation purposes, eye donation purposes, or tissue donation purposes. CC ID 06252	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for medical suitability determinations. CC ID 06253	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for armed forces personnel appropriately. CC ID 06254	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to provide public benefits by government agencies. CC ID 06255	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for fundraising. CC ID 06256	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information for research use when the appropriate requirements are included in the approval documentation or waiver documentation. CC ID 06257	Privacy protection for information and data	Establish/Maintain Documentation
Document the conditions for the disclosure of Individually Identifiable Health Information by an organization providing healthcare services to organizations other than business associates or other covered entities. CC ID 00201	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Individually Identifiable Health Information when the data subject cannot physically or legally provide consent and the disclosing organization is a healthcare provider. CC ID 00202	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information to provide appropriate treatment to the data subject when the disclosing organization is a healthcare provider. CC ID 00203	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when it is not contrary to the data subject's wish prior to becoming unable to provide consent and the disclosing organization is a healthcare provider. CC ID 00204	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information that is reasonable or necessary for the disclosure purpose when the disclosing organization is a healthcare provider. CC ID 00205	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information consistent with the law when the disclosing organization is a healthcare provider. CC ID 00206	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the disclosing organization is a healthcare provider. CC ID 00207	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject has provided consent and the disclosing organization is a healthcare provider. CC ID 00208	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to carry out treatment when the data subject's guardian or representative has provided consent and the disclosing organization is a healthcare provider. CC ID 00209	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information when the disclosing organization is a healthcare provider that supports public health and safety activities. CC ID 06248	Privacy protection for information and data	Data and Information Management
Disclose Individually Identifiable Health Information in order to report abuse or neglect when the disclosing organization is a healthcare provider. CC ID 06819	Privacy protection for information and data	Data and Information Management
Document how Individually Identifiable Health Information is used and disclosed when authorization has been granted. CC ID 00216	Privacy protection for information and data	Establish/Maintain Documentation
Define and implement valid authorization control requirements. CC ID 06258	Privacy protection for information and data	Establish/Maintain Documentation
Obtain explicit consent for authorization to release Individually Identifiable Health Information. CC ID 00217	Privacy protection for information and data	Data and Information Management
Obtain explicit consent for authorization to release psychotherapy notes. CC ID 00218	Privacy protection for information and data	Data and Information Management
Refrain from using Individually Identifiable Health Information to determine eligibility or continued eligibility for credit. CC ID 00219	Privacy protection for information and data	Data and Information Management
Process personal data after the data subject has granted explicit consent. CC ID 00180	Privacy protection for information and data	Data and Information Management
Process personal data in order to perform a legal obligation or exercise a legal right. CC ID 00182	Privacy protection for information and data	Data and Information Management
Process personal data relating to criminal offenses when required by law. CC ID 00237	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to the data subject's health. CC ID 00183	Privacy protection for information and data	Data and Information Management
Process personal data in order to prevent personal injury or damage to a third party's health. CC ID 00184	Privacy protection for information and data	Data and Information Management
Process personal data for statistical purposes or scientific purposes. CC ID 00256	Privacy protection for information and data	Data and Information Management
Process personal data during legitimate activities with safeguards for the data subject's legal rights. CC ID 00185	Privacy protection for information and data	Data and Information Management
Process traffic data in a controlled manner. CC ID 00130	Privacy protection for information and data	Data and Information Management
Process personal data for health insurance, social insurance, state social benefits, social welfare, or child protection. CC ID 00186	Privacy protection for information and data	Data and Information Management
Process personal data when it is publicly accessible. CC ID 00187	Privacy protection for information and data	Data and Information Management
Process personal data for direct marketing and other personalized mail programs. CC ID 00188 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a telemarketer under the Act on Door-to-Door Sales, Etc. informs prospective customers of the collection source of their personal information by voice, and solicits them to buy products or services by means of telephone call. Article 50(1)(2)]	Privacy protection for information and data	Data and Information Management
Refrain from processing personal data for marketing or advertising to children. CC ID 14010 [{refrain from transmitting}{refrain from displaying}{refrain from taking} No one may transmit, to a juvenile under subparagraph 1 of Article 2 of the Juvenile Protection Act, any information containing an advertisement of an unwholesome medium for juvenile as defined in subparagraph 3 of Article 2 of the aforesaid Act among the media under subparagraph 2 (e) of Article 2 of the aforesaid Act in the form of code, letter, voice, sound, image, or motion picture through an information and communications network or display such medium to the general public without taking any measure to restrict access by a juvenile. Article 42-2 ¶ 1]	Privacy protection for information and data	Business Processes
Process personal data for the purposes of employment. CC ID 16527	Privacy protection for information and data	Data and Information Management
Process personal data for justice administration, lawsuits, judicial decisions, and investigations. CC ID 00189	Privacy protection for information and data	Data and Information Management
Process personal data for debt collection or benefit payments. CC ID 00190	Privacy protection for information and data	Data and Information Management
Process personal data in order to advance the public interest. CC ID 00191	Privacy protection for information and data	Data and Information Management
Process personal data for surveys, archives, or scientific research. CC ID 00192	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00193	Privacy protection for information and data	Data and Information Management
Process personal data for academic purposes or religious purposes. CC ID 00194	Privacy protection for information and data	Data and Information Management
Process personal data when it is used by a public authority for National Security policy or criminal policy. CC ID 00195	Privacy protection for information and data	Data and Information Management
Refrain from storing data in newly created files or registers which directly or indirectly reveals the restricted data. CC ID 00196	Privacy protection for information and data	Data and Information Management
Follow legal obligations while processing personal data. CC ID 04794	Privacy protection for information and data	Data and Information Management
Start personal data processing only after the needed notifications are submitted. CC ID 04791	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for specific and well-documented circumstances. CC ID 13537 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to protect the vital interests of the data subject. CC ID 14012	Privacy protection for information and data	Process or Activity
Process personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13617	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13615	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13612	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the disclosure concerns the data subject's products and services obtained from the organization. CC ID 13611	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is impracticable to obtain consent. CC ID 13580 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)]	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15282	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to determine whether to proceed with business transactions. CC ID 13587	Privacy protection for information and data	Data and Information Management
Process personal data absent consent in order to perform a contract. CC ID 13586	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when the privacy commissioner is notified before the information is used. CC ID 13581	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to perform obligations in the field of employment law. CC ID 16814	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15294	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used in a manner to ensure confidentiality. CC ID 13579	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is used for statistical research, scientific research, or scholarly research. CC ID 13578	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is needed by law. CC ID 13577 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Data and Information Management
Process personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15296	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is from publicly available information. CC ID 13576	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to create a credit report. CC ID 15288	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if its use is consistent with the intended purpose. CC ID 13575	Privacy protection for information and data	Data and Information Management
Process personal data absent consent to administer a trust fund or benefit plan. CC ID 15291	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when produced for business purposes. CC ID 13563	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for handling insurance claims. CC ID 13561	Privacy protection for information and data	Data and Information Management
Process personal data absent consent when it is necessary for corporate restructuring. CC ID 16533	Privacy protection for information and data	Data and Information Management
Process personal data absent consent if the information is contained in a witness statement. CC ID 13560	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for life-threatening emergencies. CC ID 13558	Privacy protection for information and data	Data and Information Management
Process personal data absent consent for reasonable investigative purposes. CC ID 13557	Privacy protection for information and data	Data and Information Management
Notify the individual before restricted data is collected, used, or disclosed. CC ID 00132	Privacy protection for information and data	Behavior
Define security breach notification requirement exceptions. CC ID 04797	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from disclosing personal data absent consent of the individual or for defined exceptions. CC ID 11967 [{refrain from providing} No one shall be knowingly provided with any disclosed personal information for profit or any unlawful purpose. Article 28-2(2) {violate}{right} Every provider of information and communications services shall make efforts to prevent any information under paragraph (1) from being circulated through the information and communications network operated and managed by it. Article 44(2) {refrain from circulating}{violate} No user may circulate any information violative of other person's rights, including invasion of privacy and defamation, through an information and communications network. Article 44(1) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that defames other persons by divulging a fact, false fact, openly and purposely to disparage the person's reputation; Article 44-7(1)(2) {refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information regarding content of transactions of personal information in violation of this Act or other statutes concerning the protection of personal information; Article 44-7(1)(6-2) {be different}{refrain from using} A person who received any personal information of a user from a provider of information and communications services in accordance with paragraph (1) shall not furnish the personal information to a third party or use it for any purpose other than the purpose originally agreed upon at the time when the information was furnished without consent of the user or a specific provision otherwise specified in any other Act. Article 24-2(2) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Privacy protection for information and data	Records Management
Disclose restricted data when the data subject has given unambiguous and implicit consent. CC ID 00157	Privacy protection for information and data	Data and Information Management
Define what restricted data is not required to be disclosed absent consent. CC ID 00134	Privacy protection for information and data	Establish/Maintain Documentation
Define the exceptions to disclosure absent consent. CC ID 00135	Privacy protection for information and data	Establish/Maintain Documentation
Define opt-out exceptions for disclosing restricted data. CC ID 00159	Privacy protection for information and data	Establish/Maintain Documentation
Define how a data subject may give consent. CC ID 00160	Privacy protection for information and data	Establish/Maintain Documentation
Disclose Personal Identification Numbers absent consent in order to update address information. CC ID 04793	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for specific and well-documented circumstances. CC ID 15267 [A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2) A provider of information and communications services or similar may omit the procedures for notification and consent under paragraph (1) for entrusting the management of personal information, where the personal information is required to comply with the contract on the provision of the information and communications services and enhance convenience of users and where all the matters prescribed in subparagraphs of paragraph (1) have been disclosed to the public under Article 27-2 (1) or notified to users in a manner prescribed by Presidential Decree, such as by electronic mails. The same shall apply where there exists a change in a matter prescribed in any subparagraph of paragraph (1). Article 25(2)]	Privacy protection for information and data	Communicate
Disclose restricted data absent consent when the law does not require consent. CC ID 00136	Privacy protection for information and data	Data and Information Management
Disclose data absent consent if its disclosure is consistent with the intended purpose. CC ID 15270	Privacy protection for information and data	Data and Information Management
Disclose restricted data when a relevant connection exists between the data subject and the data controller's operations. CC ID 00137	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the disclosure with the consent or knowledge of the data subject would compromise the ability to prevent, detect, or suppress fraud. CC ID 13594	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when it is in the data subject's interest and consent cannot be obtained in a timely manner. CC ID 15284	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13616	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject is notified that the business transaction is completed and their information was disclosed. CC ID 13613	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject has been notified the personal data may be collected, used, or disclosed. CC ID 13603	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if disclosure is made a predetermined number of years after the death of the data subject. CC ID 13598	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when disclosure is made a predetermined number of years after the information was created. CC ID 13597	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the data subject is notified of the disclosure. CC ID 13596	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to detect, suppress, or prevent fraud. CC ID 13592	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to create a credit report. CC ID 15297	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if it is necessary to identify an individual who is injured, ill or deceased. CC ID 13595	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent if the disclosure is to a government institution. CC ID 13583	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for reasonable investigative purposes. CC ID 13593	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to determine whether to proceed with business transactions. CC ID 15285	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for handling insurance claims. CC ID 13585	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the information is contained in a witness statement. CC ID 13584	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the data subject is believed to be a victim of financial abuse. CC ID 13555	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for transactions related to the consumer. CC ID 14853	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent to a government institution that has requested the information. CC ID 13582	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 13554	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is for the data controller's legitimate interest or third party's legitimate interest and it prevails over individual rights. CC ID 00138	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if the organization notifies the privacy commissioner before disclosing the information. CC ID 13553	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent if it is impracticable to obtain consent. CC ID 13552	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to perform a contract. CC ID 00139	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to assist Telecommunications Ombudsmen in resolving complaints. CC ID 00140	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent to administer a trust fund or benefit plan. CC ID 15290	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for research purposes and the data subject is not identified. CC ID 15286	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the personal data is disclosed by calling an emergency service number. CC ID 00141	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the restricted data prevents life-threatening emergencies to third parties. CC ID 00142	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the restricted data preserves human life at sea. CC ID 00143	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to process the restricted data for public interests. CC ID 00144	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent in order to provide social work assistance services. CC ID 00145	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent if confidentiality is assured and the disclosure is for statistical research, scientific research, or scholarly research. CC ID 00146	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent in order to protect historical records or archival records. CC ID 00147	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent for public economic interests. CC ID 00148	Privacy protection for information and data	Data and Information Management
Disclose restricted data for public interests absent consent for National Security reasons. CC ID 00149	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00150	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is publicly accessible. CC ID 00151	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is related to publicly available information. CC ID 00152	Privacy protection for information and data	Data and Information Management
Disclose publicly accessible restricted data absent consent when the data subject has already published it. CC ID 00153	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to protect the data subject's vital interests. CC ID 00154	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent in order to protect the data subject's vital interests when there is a life-threatening emergency. CC ID 00155	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is for judicial decisions, lawsuits, and investigations. CC ID 00161	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when it is needed by law. CC ID 00163	Privacy protection for information and data	Data and Information Management
Disclose personal data required by law absent consent for special cases involving security or law enforcement. CC ID 04796	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when it is being disclosed to the data subject. CC ID 00164	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent for direct marketing or other personalized mail programs. CC ID 14855	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent in order to collect a debt owed by the data subject. CC ID 00165	Privacy protection for information and data	Data and Information Management
Disclose personal data absent consent when the data subject or data owner is anonymous. CC ID 00166	Privacy protection for information and data	Data and Information Management
Disclose restricted data absent consent when the disclosure concerns the individual's products or services obtained from the organization. CC ID 13469	Privacy protection for information and data	Communicate
Establish, implement, and maintain restricted data retention procedures. CC ID 00167 [{refrain from destroying} A provider of information and communications services or similar shall, if any of the followings occurs, destroy the relevant personal information without delay so that such personal information cannot be recovered or reproduced: Provided, That the same shall not apply where it is required to preserve the personal information in accordance with any other Act: Article 29(1) The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, "background-color:#B7D8ED;" class="term_primary-verb">take necessary " class="term_primary-noun">measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. The provider of information and communications services or similar shall, in an effort to protect personal information of the users who do not use information and communications services for a period of one year, take necessary measures, such as destruction of personal information, as prescribed by Presidential Decree: Provided, That the period is otherwise provided either in accordance with other statue or at the request of the users, such provisions shall apply. Article 29(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain personal data disposition procedures. CC ID 13498 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: The period of time during which the personal information is possessed and used, and the procedure and method for destruction of the personal information (including the ground for preservation and items of preserved personal information, if it is required to preserve the personal information in accordance with the proviso to the part above subparagraphs of Article 29 (1)); Article 27-2(2)(3) If a user withdraws his or her consent pursuant to paragraph (1), a provider of information and communications services, etc. shall immediately take necessary measures, such as the destruction of collected personal information in an irrecoverable or in unreproducible way. Article 30(3)]	Privacy protection for information and data	Establish/Maintain Documentation
Capture personal data removal requests. CC ID 13507 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)]	Privacy protection for information and data	Communicate
Remove personal data from records after receiving a personal data removal request. CC ID 11972 [{violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Privacy protection for information and data	Records Management
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary for maintaining information assets. CC ID 13789	Privacy protection for information and data	Process or Activity
Refrain from erasing personal data upon receiving a personal data removal request when it is necessary to complete a payment transaction. CC ID 13788	Privacy protection for information and data	Process or Activity
Dispose of personal data removal requests, as necessary. CC ID 13512	Privacy protection for information and data	Business Processes
Limit the redisclosure and reuse of restricted data. CC ID 00168	Privacy protection for information and data	Data and Information Management
Refrain from redisclosing or reusing restricted data. CC ID 00169 [A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)]	Privacy protection for information and data	Data and Information Management
Document the redisclosing restricted data exceptions. CC ID 00170	Privacy protection for information and data	Establish/Maintain Documentation
Redisclose restricted data when the data subject consents. CC ID 00171	Privacy protection for information and data	Data and Information Management
Redisclose restricted data when it is for criminal law enforcement. CC ID 00172	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to protect public revenue. CC ID 00173	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to assist a Telecommunications Ombudsman. CC ID 00174	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to prevent a life-threatening emergency. CC ID 00175	Privacy protection for information and data	Data and Information Management
Redisclose restricted data when it deals with installing, maintaining, operating, or providing access to a Public Telecommunications Network or a telecommunication facility. CC ID 00176	Privacy protection for information and data	Data and Information Management
Redisclose restricted data in order to preserve human life at sea. CC ID 00177	Privacy protection for information and data	Data and Information Management
Obtain explicit consent directly from the data subject prior to the use of that person's sensitive data. CC ID 00178 [Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(1)(a) Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority certainly necessary to provide the relevant services: Ground that access authority is necessary. Article 22-2(1)(1)(b) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Items of the information and functions for which access authority is necessary; Article 22-2(1)(2)(a) {not necessary}Where a provider of information and communications services needs authority to access (hereinafter referred to as "access authority") information stored and functions installed in mobile devices of users in order to provide the relevant services, the provider shall inform users of the following matters so that users may clearly recognize such matters, and shall obtain consent of users: In the case of access authority not certainly necessary to provide the relevant services: Ground that access authority is necessary; Article 22-2(1)(2)(b) {stipulated timeframe} Notwithstanding paragraph (1), a person who intends to transmit advertising information for profit by using an electronic transmission medium during the time between 9:00 pm and 8:00 am of the following day shall obtain express prior consent from the addressee of such information: Provided, That in cases of media prescribed by Presidential Decree, the forgoing shall not apply thereto. Article 50(3)]	Privacy protection for information and data	Data and Information Management
Obtain consent from a parent or legal representative in order to use or disclose a child's data. CC ID 00198 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)]	Privacy protection for information and data	Data and Information Management
Obtain opt-in consent from teenagers prior to the collection, use, or disclosure of personal data. CC ID 00199	Privacy protection for information and data	Data and Information Management
Obtain explicit consent prior to using the data subject's Personal Identification Number. CC ID 00238	Privacy protection for information and data	Data and Information Management
Process Personal Identification Numbers with consent. CC ID 00239	Privacy protection for information and data	Data and Information Management
Refrain from requiring individuals to use Personal Identification Numbers as an account number or password. CC ID 00253	Privacy protection for information and data	Behavior
Obtain consent prior to selling a Personal Identification Number. CC ID 00240	Privacy protection for information and data	Data and Information Management
Obtain consent prior to displaying a Personal Identification Number. CC ID 00241	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on government-issued checks or other paperwork. CC ID 00254	Privacy protection for information and data	Data and Information Management
Refrain from displaying Personal Identification Numbers on identification cards or badges. CC ID 00255	Privacy protection for information and data	Data and Information Management
Document the conditions to use Personal Identification Numbers absent consent. CC ID 00242	Privacy protection for information and data	Establish/Maintain Documentation
Use Personal Identification Numbers absent consent for granting credit or collecting a debt. CC ID 00252	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent for research purposes. CC ID 00247	Privacy protection for information and data	Data and Information Management
Refrain from requiring consent to use a Personal Identification Number when protecting the public health and safety or an individual's safety in an emergency. CC ID 00244	Privacy protection for information and data	Data and Information Management
Use Personal Identification Numbers absent consent when a federal law mandates its use. CC ID 00243	Privacy protection for information and data	Data and Information Management
Allow data subjects the ability to restrict the use and disclosure of personal data. CC ID 06821	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain data disclosure procedures. CC ID 00133	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the disclosure of personal data will have on the data subject. CC ID 15298	Privacy protection for information and data	Data and Information Management
Review personal data disclosure requests. CC ID 07129	Privacy protection for information and data	Data and Information Management
Notify the data subject of the disclosure purpose. CC ID 15268	Privacy protection for information and data	Communicate
Establish, implement, and maintain data request denial procedures. CC ID 00434	Privacy protection for information and data	Establish/Maintain Documentation
Include frivolous requests or vexatious requests as a reason for denial in the personal data request denial procedures. CC ID 00435	Privacy protection for information and data	Data and Information Management
Include when the required information is unavailable as a reason for denial in the personal data request denial procedures. CC ID 00436	Privacy protection for information and data	Data and Information Management
Include when the disclosure of personal data constitutes contempt of court or contempt of House of Representatives as a reason for denial in the personal data request denial procedures. CC ID 00437	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would identify suppliers or breaches an express promise of privacy or implied promise of privacy as a reason for denial in the personal data request denial procedures. CC ID 00438	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would compromise National Security as a reason for denial in the personal data request denial procedures. CC ID 00439	Privacy protection for information and data	Data and Information Management
Include information that is protected by attorney-client privilege as a reason for denial in the personal data request denial procedures. CC ID 00440	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would reveal trade secrets, commercial information, or harmful financial information as a reason for denial in the personal data request denial procedures. CC ID 00441	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten an individual's life or an individual's security as a reason for denial in the personal data request denial procedures. CC ID 00442	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would have an unreasonable impact on another individual's privacy as a reason for denial in the personal data request denial procedures. CC ID 00443	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would threaten facilities, property, transport, or communication systems as a reason for denial in the personal data request denial procedures. CC ID 08702	Privacy protection for information and data	Process or Activity
Include responding to access requests after the time limit as a reason for denial in the personal data request denial procedures. CC ID 13600	Privacy protection for information and data	Data and Information Management
Include information that was generated from a formal dispute as a reason for denial in the personal data request denial procedures. CC ID 00444	Privacy protection for information and data	Data and Information Management
Include personal data that is used solely for scientific research, scholarly research, statistical research, library purposes, museum purposes, or archival purposes as a reason for denial in the personal data request denial procedures. CC ID 00445	Privacy protection for information and data	Data and Information Management
Include personal data that is for protecting the civil rights or other's freedoms as a reason for denial in the personal data request denial procedures. CC ID 00447	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that constitutes a state secret as a reason for denial in the personal data request denial procedures. CC ID 00448	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would result in interference with the operation of public functions as a reason for denial in the personal data request denial procedures. CC ID 00449	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interrupt criminal investigation and surveillance or other legal purposes as a reason for denial in the personal data request denial procedures. CC ID 00450	Privacy protection for information and data	Data and Information Management
Include when a country's laws prevent disclosure as a reason for denial in the personal data request denial procedures. CC ID 00451	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with grievance proceeding or employee security investigations as a reason for denial in the personal data request denial procedures. CC ID 06873	Privacy protection for information and data	Data and Information Management
Include disclosing personal data that would interfere with commercial acquisitions or reorganizations as a reason for denial in the personal data request denial procedures. CC ID 06874	Privacy protection for information and data	Data and Information Management
Include if the cost or burden of disclosing the personal data is disproportionate as a reason for denial in the personal data request denial procedures. CC ID 06875	Privacy protection for information and data	Data and Information Management
Notify interested personnel and affected parties of the reasons the data access request was refused. CC ID 00453 [A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken rm_primary-noun">measures for imary-noun">refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. A provider of information and communications services shall inform interested persons, such as users to whom such services are provided, of the fact that he or she has taken measures for refusal under paragraph (1) or (4): Provided, That where it is impracticable to inform them of the fact in advance, he or she shall inform them of the fact immediately after it has taken measures for refusal. Article 50-4(3)]	Privacy protection for information and data	Data and Information Management
Notify the individual of the organization's legal rights to refuse the personal data access request, as necessary. CC ID 13509	Privacy protection for information and data	Communicate
Notify individuals of their right to challenge a refusal to a data access request. CC ID 00454	Privacy protection for information and data	Data and Information Management
Include if the record would constitute an action for breach of a duty of confidence as a reason for denial in the personal data request denial procedures. CC ID 08700	Privacy protection for information and data	Process or Activity
Disseminate and communicate personal data to the individual that it relates to. CC ID 00428	Privacy protection for information and data	Data and Information Management
Provide personal data to an individual after the individual's identity has been confirmed. CC ID 06876	Privacy protection for information and data	Data and Information Management
Notify that data subject of any exclusions to requested personal data. CC ID 15271	Privacy protection for information and data	Communicate
Provide data or records in a reasonable time frame. CC ID 00429	Privacy protection for information and data	Data and Information Management
Notify individuals of the new time limit for responding to an access request in a notice of extension. CC ID 13599	Privacy protection for information and data	Communicate
Extend the time limit for providing personal data in order to convert it to an alternative format. CC ID 13591	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing personal data if the time is impracticable to respond to the access request. CC ID 13590	Privacy protection for information and data	Data and Information Management
Extend the time limit for providing data if it would unreasonably interfere with the organization's activities. CC ID 13589	Privacy protection for information and data	Data and Information Management
Provide data at a cost that is not excessive. CC ID 00430	Privacy protection for information and data	Data and Information Management
Provide records or data in a reasonable manner. CC ID 00431	Privacy protection for information and data	Data and Information Management
Provide personal data in a form that is intelligible. CC ID 00432	Privacy protection for information and data	Data and Information Management
Provide restricted data that would threaten the life or security of another individual after that information has been redacted. CC ID 13604	Privacy protection for information and data	Data and Information Management
Provide restricted data that would reveal confidential commercial information after that information has been redacted. CC ID 13602	Privacy protection for information and data	Data and Information Management
Remove data pertaining to third parties before giving the requestor access to the information. CC ID 13601	Privacy protection for information and data	Data and Information Management
Document that a data search was conducted in case the requested data cannot be found. CC ID 06953	Privacy protection for information and data	Establish/Maintain Documentation
Include cookie management in the privacy framework. CC ID 13809	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain cookie management procedures. CC ID 13810	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data collection program. CC ID 06487	Privacy protection for information and data	Establish/Maintain Documentation
Identify any adverse effects the collection of personal data will have on the data subject. CC ID 15279	Privacy protection for information and data	Data and Information Management
Refrain from collecting personal data, as necessary. CC ID 15269 [{refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1) {refrain from collecting}{refrain from using} Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Article 23-2(1)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain personal data collection limitation boundaries. CC ID 00507	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a personal data use policy. CC ID 00076	Privacy protection for information and data	Establish/Maintain Documentation
Use personal data for specified purposes. CC ID 11831	Privacy protection for information and data	Data and Information Management
Post the collection purpose. CC ID 00101 [The policy on managing personal information under paragraph (1) shall include descriptions of all the following matters: Purposes of collection and use of personal information, items of personal information collected, and methods of collection; Article 27-2(2)(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Obtain the data subject's consent and acknowledgment before collecting data. CC ID 00012 [A provider of information and communications services shall, whenever he or she intends to collect personal information of a user purposely to use it, notify the user of the following matters and obtain consent from the user. The same shall apply in cases where he or she intends to change any of the following matters: Article 22(1) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)]	Privacy protection for information and data	Data and Information Management
Document each individual's personal data collection consent preferences. CC ID 06945	Privacy protection for information and data	Establish/Maintain Documentation
Provide explicit consent that is clear and unambiguous. CC ID 00181	Privacy protection for information and data	Data and Information Management
Allow individuals to change their personal data collection consent preferences. CC ID 06946	Privacy protection for information and data	Data and Information Management
Adhere to each individual's personal data collection consent preferences. CC ID 06947	Privacy protection for information and data	Data and Information Management
Notify the data subject of the source of collected personal data. CC ID 00083	Privacy protection for information and data	Behavior
Furnish disclosure of information and usage of information to data subjects when oral consent is given. CC ID 04717	Privacy protection for information and data	Data and Information Management
Disclose the direct marketing purpose before obtaining consent for collecting information. CC ID 04718	Privacy protection for information and data	Data and Information Management
Establish and maintain a personal data definition. CC ID 00028	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's name in the personal data definition. CC ID 04710	Privacy protection for information and data	Data and Information Management
Include an individual's name combined with other personal data in the personal data definition. CC ID 04709	Privacy protection for information and data	Data and Information Management
Include the legal surname of the parent or legal representative prior to marriage in the personal data definition. CC ID 04686	Privacy protection for information and data	Data and Information Management
Include an individual's signature in the personal data definition. CC ID 04711	Privacy protection for information and data	Data and Information Management
Include an individual's date of birth in the personal data definition. CC ID 04770	Privacy protection for information and data	Data and Information Management
Include the number of children in the personal data definition. CC ID 13759	Privacy protection for information and data	Establish/Maintain Documentation
Include the individual's religion in the personal data definition. CC ID 13765	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's physical characteristics or description in the personal data definition. CC ID 04712	Privacy protection for information and data	Data and Information Management
Include an individual's biometric data in the personal data definition. CC ID 04698	Privacy protection for information and data	Data and Information Management
Include an individual's photographic image in the personal data definition. CC ID 04779	Privacy protection for information and data	Data and Information Management
Include an individual's fingerprints in the personal data definition. CC ID 04689	Privacy protection for information and data	Data and Information Management
Include an individual's address in the personal data definition. CC ID 04687	Privacy protection for information and data	Data and Information Management
Include an individual's telephone number in the personal data definition. CC ID 04688	Privacy protection for information and data	Data and Information Management
Include an individual's fax number in the personal data definition. CC ID 07120	Privacy protection for information and data	Data and Information Management
Include an individual's political party affiliation in the personal data definition. CC ID 13764	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's license plate number in the personal data definition. CC ID 13763	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's financial account number in the personal data definition. CC ID 04692	Privacy protection for information and data	Data and Information Management
Include an individual's account balances in the personal data definition. CC ID 13770	Privacy protection for information and data	Establish/Maintain Documentation
Include stock numbers, bond numbers, and other security certificate numbers in the personal data definition. CC ID 04768	Privacy protection for information and data	Data and Information Management
Include an individual's electronic identification name or number in the personal data definition. CC ID 04694	Privacy protection for information and data	Data and Information Management
Include an individual's logon credentials in the personal data definition. CC ID 13771	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's Alien Registration Number in the personal data definition. CC ID 04743	Privacy protection for information and data	Data and Information Management
Include an individual's passport number in the personal data definition. CC ID 04713	Privacy protection for information and data	Data and Information Management
Include an individual's driver's license number or an individual's state identification card number in the personal data definition. CC ID 04691	Privacy protection for information and data	Data and Information Management
Include an individual's Social Security Number or Personal Identification Number in the personal data definition. CC ID 04690	Privacy protection for information and data	Data and Information Management
Include an individual's military identification number in the personal data definition. CC ID 13083	Privacy protection for information and data	Establish/Maintain Documentation
Include an individual's e-mail address in the personal data definition. CC ID 04696	Privacy protection for information and data	Data and Information Management
Include electronic signatures in the personal data definition. CC ID 04697	Privacy protection for information and data	Data and Information Management
Include an individual's payment card information in the personal data definition. CC ID 04751	Privacy protection for information and data	Data and Information Management
Include an individual's credit card number or an individual's debit card number in the personal data definition. CC ID 04693	Privacy protection for information and data	Data and Information Management
Include an individual's payment card service code in the personal data definition. CC ID 04753	Privacy protection for information and data	Data and Information Management
Include an individual's payment card expiration date in the personal data definition. CC ID 04755	Privacy protection for information and data	Data and Information Management
Include the payment transaction data and transaction authentication data in the personal data definition. CC ID 04825	Privacy protection for information and data	Data and Information Management
Include an individual's Individually Identifiable Health Information in the personal data definition. CC ID 04700	Privacy protection for information and data	Data and Information Management
Include an individual's medical history in the personal data definition. CC ID 04701	Privacy protection for information and data	Data and Information Management
Include an individual's medical treatment in the personal data definition. CC ID 04702	Privacy protection for information and data	Data and Information Management
Include an individual's medical diagnosis in the personal data definition. CC ID 04703	Privacy protection for information and data	Data and Information Management
Include an individual's mental condition or an individual's physical condition in the personal data definition. CC ID 04704	Privacy protection for information and data	Data and Information Management
Include an individual's medical record numbers in the personal data definition. CC ID 07121	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance information in the personal data definition. CC ID 04705	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance policy number in the personal data definition. CC ID 04706	Privacy protection for information and data	Data and Information Management
Include an individual's health insurance application and health insurance claims history (including appeals) in the personal data definition. CC ID 04707	Privacy protection for information and data	Data and Information Management
Include an individual's education information in the personal data definition. CC ID 04714	Privacy protection for information and data	Data and Information Management
Include an individual's professional certification numbers or an individual's professional license numbers in the personal data definition. CC ID 07122	Privacy protection for information and data	Data and Information Management
Include an individual's employment information in the personal data definition. CC ID 04715	Privacy protection for information and data	Data and Information Management
Include an employer's Taxpayer Identification Number in the personal data definition. CC ID 04767	Privacy protection for information and data	Data and Information Management
Include an individual's Taxpayer Identification Number in the personal data definition. CC ID 04763	Privacy protection for information and data	Data and Information Management
Include an individual's employment history in the personal data definition. CC ID 04716	Privacy protection for information and data	Data and Information Management
Include an individual's place of employment in the personal data definition. CC ID 04765	Privacy protection for information and data	Data and Information Management
Include an individual's Employee Identification Number in the personal data definition. CC ID 04766	Privacy protection for information and data	Data and Information Management
Include an individual's property information in the personal data definition. CC ID 04780	Privacy protection for information and data	Data and Information Management
Include an individual's property title in the personal data definition. CC ID 04781	Privacy protection for information and data	Data and Information Management
Include an individual's vehicle registration in the personal data definition. CC ID 04782	Privacy protection for information and data	Data and Information Management
Include hardware asset identification information in the personal data definition. CC ID 07123	Privacy protection for information and data	Data and Information Management
Include MAC addresses in the personal data definition. CC ID 04778	Privacy protection for information and data	Data and Information Management
Include Internet Protocol addresses in the personal data definition. CC ID 04777	Privacy protection for information and data	Data and Information Management
Include asset serial numbers in the personal data definition. CC ID 07124	Privacy protection for information and data	Data and Information Management
Include Uniform Resource Locators in the personal data definition. CC ID 07125	Privacy protection for information and data	Data and Information Management
Refrain from including publicly available information in the personal data definition. CC ID 13084	Privacy protection for information and data	Establish/Maintain Documentation
Define specially restricted data. CC ID 00037	Privacy protection for information and data	Data and Information Management
Protect an individual's civil rights during personal data collection and personal data processing. CC ID 00079	Privacy protection for information and data	Data and Information Management
Refrain from compiling data that is likely to give rise to unlawful discrimination or arbitrary discrimination. CC ID 00075	Privacy protection for information and data	Data and Information Management
Refrain from subjecting an individual to a solely automated decision process that produces legal effects based on the evaluation of certain characteristics. CC ID 00080	Privacy protection for information and data	Data and Information Management
Implement a nondiscrimination principle. CC ID 00081	Privacy protection for information and data	Data and Information Management
Include the collection and use of personal data in the nondiscrimination principle. CC ID 11799	Privacy protection for information and data	Data and Information Management
Preserve each individual's right to human dignity. CC ID 00082	Privacy protection for information and data	Data and Information Management
Manage Personal Identification Numbers and PIN verification code numbers. CC ID 00058	Privacy protection for information and data	Data and Information Management
Employ a random number generator to create authenticators. CC ID 13782	Privacy protection for information and data	Technical Security
Collect Personal Identification Numbers with the individual's consent. CC ID 00059	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent when the law mandates. CC ID 00061	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent for research purposes. CC ID 00065	Privacy protection for information and data	Data and Information Management
Collect Personal Identification Numbers absent consent to realize the rights or duties of the data subject or data controller. CC ID 04792	Privacy protection for information and data	Data and Information Management
Refrain from requiring a Personal Identification Number to purchase goods or services. CC ID 00069	Privacy protection for information and data	Behavior
Manage health data collection. CC ID 00050	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information to provide health care services. CC ID 00052	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information when the law dictates. CC ID 00053	Privacy protection for information and data	Data and Information Management
Collect Individually Identifiable Health Information for research. CC ID 00054	Privacy protection for information and data	Data and Information Management
Remove personal data before disclosing health data. CC ID 00055	Privacy protection for information and data	Data and Information Management
Give special attention to collecting children's data. CC ID 00038	Privacy protection for information and data	Data and Information Management
Use simple understandable language to collect information from children. CC ID 00039	Privacy protection for information and data	Behavior
Notify parents or legal representatives of what information is collected from children. CC ID 00040	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent from a parent or legal representative before collecting information from children. CC ID 00041 [A provider of information and communications services or similar shall, if he or she desires to obtain consent of a child of less than 14 years on collection, use, furnishing, and other disposition of personal information, obtain consent from his or her legal representative. In such cases, the provider of information and communications services may demand the child to furnish minimum information, such as the legal representative's name, necessary to obtain consent from the legal representative. Article 31(1)]	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to collect online contact information for a one-time only response to a specific request. CC ID 00043	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to request the parent or legal representative's information to obtain consent. CC ID 00044	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to additional requests which do not go beyond the scope of the request. CC ID 00045	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the child's safety. CC ID 00046	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to take liability precautions. CC ID 00047	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a judicial process. CC ID 00048	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to respond to a request for law enforcement purposes. CC ID 00049	Privacy protection for information and data	Data and Information Management
Waive verifiable consent from a parent or legal representative for collecting information from children in order to protect the website's security or integrity or the online service's security or integrity. CC ID 06199	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a personal data collection policy. CC ID 00029	Privacy protection for information and data	Establish/Maintain Documentation
Collect personal data directly from the data subject. CC ID 00011	Privacy protection for information and data	Data and Information Management
Create and manage user account aliases to maintain pseudonymity. CC ID 04549	Privacy protection for information and data	Data and Information Management
Provide unlinkability for users and resources. CC ID 04550	Privacy protection for information and data	Data and Information Management
Provide unobservability of users and resources. CC ID 04551	Privacy protection for information and data	Technical Security
Collect restricted data in a fair and lawful manner. CC ID 00010 [{refrain from collecting} No one shall collect another person's information through an information and communications network by an act of deceit, nor shall entice another person by an act of deceit to furnish information. Article 49-2(1) Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the provider is designated as the identification service agency pursuant to Article 23-3; Article 23-2(1)(1) {relevant authority}Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where the Korea Communications Commission makes a public announcement for the provider of information and communications services who inevitably collects/uses users' resident registration numbers for his or her business purposes. Article 23-2(1)(3)]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent for specific and well-documented circumstances. CC ID 00013	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when the data collection is in the individual's interests and consent can not be obtained in a timely manner. CC ID 00014 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If the personal information is necessary in fulfilling the contract for provision of information and communications services, but it is obviously difficult to get consent in an ordinary way due to any economic or technical reason; Article 22(2)(1)]	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when consent compromises data accuracy. CC ID 00015	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to make a disclosure. CC ID 13550	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for reasonable investigative purposes. CC ID 11801	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent if the collection is consistent with the intended purpose. CC ID 13548	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when the personal data was produced by the data subject in the course of employment, business, or profession. CC ID 13544	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for handling insurance claims. CC ID 13543	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when the data subject has authorized the collection through another individual. CC ID 00016	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent if the disclosure is to the next of kin or authorized representative. CC ID 15295	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to establish, manage, or terminate employment contracts. CC ID 13614	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to protect the data subject's vital interests. CC ID 15277	Privacy protection for information and data	Data and Information Management
Collect personal data for public interests absent consent in order to protect historical records or archival records. CC ID 15289	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent to administer a trust fund or benefit plan. CC ID 15292	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent for journalistic purposes, artistic purposes, or literary purposes. CC ID 00017	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent in order to collect a debt owed by the data subject. CC ID 15293 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If it is necessary in paying charges on the information and communication services rendered; Article 22(2)(2)]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent for statistical purposes or research purposes and the data subject is not identified. CC ID 00018	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent from publicly available information. CC ID 00019	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when needed by law. CC ID 00020 [A provider of information and communications services may collect and use personal information of a user without the consent under paragraph (1) in any of the following cases: If a specific provision exists in this Act or any other Act otherwise. Article 22(2)(3) {refrain from collecting}{be necessary} No provider of information and communications services may collect personal information regarding any person, such as his or her ideology, beliefs, family relationship status, kinship and matrimonial relationship, educational background, and medical history, which is anticipated to otherwise infringe seriously upon any right, interest, or privacy of the person: Provided, That he or she may collect such personal information within the minimum scope necessary where he or she obtains consent of the user under Article 22 (1) or such personal information is specially permitted as personal information that may be collected pursuant to any other Act. Article 23(1)]	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent to create a credit report. CC ID 15287	Privacy protection for information and data	Data and Information Management
Collect restricted data absent consent when no potential harm can come to the data subject. CC ID 00021	Privacy protection for information and data	Data and Information Management
Collect personal data absent consent when collecting personal data from the data subject is impossible or the data collection involves a disproportionate effort. CC ID 00022	Privacy protection for information and data	Data and Information Management
Collect the minimum amount of restricted data necessary. CC ID 00078 [{be necessary} Where a provider of information and communications services collects personal information of a user, he or she shall only collect personal information within the minimum scope necessary to provide information and communications services. Article 23(2)]	Privacy protection for information and data	Data and Information Management
Collect restricted data in a proper information framework. CC ID 00009	Privacy protection for information and data	Data and Information Management
Collect and record restricted data for specific, explicit, and legitimate purposes. CC ID 00027	Privacy protection for information and data	Data and Information Management
Collect restricted data when required by law. CC ID 00031 [Other than the cases falling under any of the following subparagraphs, a provider of information and communications services may not collect/use users' resident registration numbers: Where collection/use of users' resident registration numbers is authorized by statutes; Article 23-2(1)(2)]	Privacy protection for information and data	Data and Information Management
Collect restricted data to prevent life-threatening emergencies. CC ID 00032	Privacy protection for information and data	Data and Information Management
Collect restricted data relating solely to nonprofit organization members or individuals who are in regular contact during the nonprofit organization's activities. CC ID 00034	Privacy protection for information and data	Data and Information Management
Collect restricted data for legal purposes. CC ID 00036	Privacy protection for information and data	Data and Information Management
Provide the data subject with information about the data controller during the collection process. CC ID 00023	Privacy protection for information and data	Establish/Maintain Documentation
Disseminate and communicate the data collector's name and contact information to all interested personnel. CC ID 13760	Privacy protection for information and data	Communicate
Provide the data subject with the data collector's name and contact information. CC ID 00024 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)]	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name of the data collector who will hold the collected restricted data. CC ID 00025	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data. CC ID 00026 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Trade name and contact information of the other party (referring to a person who sells and/or provides goods/services in a transaction through telecommunications billing services; hereinafter referred to as "other party to a transaction"); Article 58(1)(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain a data handling program. CC ID 13427	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data handling policies. CC ID 00353 [{do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 [{refrain from circulating}No one may circulate information falling under any of the following subparagraphs through an information and communications network: Information with a content that divulges a secret classified by statutes or any other State secret; Article 44-7(1)(7) {do not} No one shall mutilate another person's information processed, stored, or transmitted through an information and communications network, nor shall infringe, misappropriate, or divulge another person's secret. Article 49 ¶ 1]	Privacy protection for information and data	Establish/Maintain Documentation
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565	Privacy protection for information and data	Data and Information Management
Protect electronic messaging information. CC ID 12022	Privacy protection for information and data	Technical Security
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360	Privacy protection for information and data	Data and Information Management
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699	Privacy protection for information and data	Configuration
Store payment card data in secure chips, if possible. CC ID 13065	Privacy protection for information and data	Configuration
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758	Privacy protection for information and data	Configuration
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952	Privacy protection for information and data	Technical Security
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083	Privacy protection for information and data	Data and Information Management
Log the disclosure of personal data. CC ID 06628	Privacy protection for information and data	Log Management
Log the modification of personal data. CC ID 11844	Privacy protection for information and data	Log Management
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850	Privacy protection for information and data	Technical Security
Implement security measures to protect personal data. CC ID 13606 [The persons manufacturing and providing a basic operating system (referring to an operating environment in which softwares installed in mobile devices can be run) of mobile devices, the manufacturers of mobile devices, and the persons manufacturing and providing a software for mobile devices shall take measures necessary for protecting users' information, such as devising methods for users to give or revoke consent to access authority where the provider of information and communications services intends to access the information stored and functions installed in mobile devices. Article 22-2(3) Every provider of information and communications services or similar shall, when he or she manages personal information of users, take the following technical and administrative measures in accordance with the guidelines prescribed by Presidential Decree to prevent loss, theft, leakage, forgery or alteration of or damage to personal information and secure the safety of personal information: Other protective measures necessary for securing safety of personal information. Article 28(1)(6) A person who manages or has ever manages personal information of users shall not damage, intrude on, or disclosed personal information that he or she learned in the course of performing his or her duty. Article 28-2(1)]	Privacy protection for information and data	Technical Security
Implement physical controls to protect personal data. CC ID 00355	Privacy protection for information and data	Testing
Limit data leakage. CC ID 00356 [{refrain from exposing} A provider, etc. of information and communications services shall ensure that users' personal information such as resident registration numbers, account numbers and credit cards information is not exposed to the public through information and communications networks. Article 32-3(1) The Government may have the providers of information and communications services that manage the information under subparagraphs of paragraph (2) take the following measures: Measures for preventing leakage of important information that providers of information and communications services have learned while managing the information. Article 51(3)(3) A provider of information and communications services, etc. shall prepare countermeasures against the leakages, etc. of personal information, and shall seek measures to minimize any damage thereof. Article 27-3(5)]	Privacy protection for information and data	Data and Information Management
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654	Privacy protection for information and data	Monitor and Evaluate Occurrences
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851	Privacy protection for information and data	Business Processes
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408	Privacy protection for information and data	Acquisition/Sale of Assets or Services
Alert appropriate personnel when data leakage is detected. CC ID 14715	Privacy protection for information and data	Process or Activity
Include text about data ownership in the data handling policy. CC ID 15720	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain call metadata controls. CC ID 04790	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126	Privacy protection for information and data	Data and Information Management
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127	Privacy protection for information and data	Data and Information Management
Store de-identifying code and re-identifying code separately. CC ID 16535	Privacy protection for information and data	Data and Information Management
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128	Privacy protection for information and data	Data and Information Management
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465	Privacy protection for information and data	Communicate
Establish, implement, and maintain data handling procedures. CC ID 11756	Privacy protection for information and data	Establish/Maintain Documentation
Define personal data that falls under breach notification rules. CC ID 00800	Privacy protection for information and data	Establish/Maintain Documentation
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663	Privacy protection for information and data	Data and Information Management
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773	Privacy protection for information and data	Data and Information Management
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788	Privacy protection for information and data	Data and Information Management
Define an out of scope privacy breach. CC ID 04677	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678	Privacy protection for information and data	Business Processes
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761	Privacy protection for information and data	Monitor and Evaluate Occurrences
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762	Privacy protection for information and data	Monitor and Evaluate Occurrences
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466	Privacy protection for information and data	Communicate
Establish, implement, and maintain a personal data transfer program. CC ID 00307	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent from an individual prior to transferring personal data. CC ID 06948 [Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Article 24-2(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: The person to whom the personal information is furnished; Article 24-2(1)(1) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Purposes of use of the personal information of the person to whom the personal information is furnished; Article 24-2(1)(2) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Items of the personal information furnished; Article 24-2(1)(3) Every provider of information and communications services shall, whenever he or she intends to furnish a third party with personal information of a user, notify the user of all the following matters and obtain consent from the user, except as provided for in Article 22 (2) 2 and 3. The same shall apply in cases where there is a change in any of the following matters: Period of time during which the person to whom the personal information is furnished will possess and use the personal information. Article 24-2(1)(4) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Any person to whom the management of personal information is entrusted (hereinafter referred to as a "trustee"); Article 25(1)(1) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Details of the business affairs subject to the entrustment of management of personal information. Article 25(1)(2) A provider of information and communications services or a person who received personal information of users from the provider of information and communications services in accordance with Article 24-2 (1) (hereinafter referred to as a "provider of information and communications services or similar") shall, if he or she intends to entrust a third party with handling of business affairs related to personal information (hereinafter referred to as "entrustment of management of personal information") so as to collect, create, connect, link, record, save, hold, process, edit, search, print, correct, recover, use, provide, disclose, destruct or treat similarly users' personal information (hereinafter referred to as "management"), notify the users of all the following matters and shall obtain consent of the users. The same shall apply in cases where there exists a change in any of the following matters: Article 25(1) {abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2) {refrain from refusing} When the provider, etc. of information and communications services under Article 25 (1) is given the consent to furnishing user's information under paragraph (1) and to the entrustment of management of personal information under Article 25 (1), he or she shall obtain such consent apart from the consent to collection/use of personal information pursuant to Article 22, and shall not refuse to provide its service on the ground of a user's refusal of aforementioned consent. Article 24-2(3)]	Privacy protection for information and data	Data and Information Management
Include procedures for transferring personal data from one data controller to another data controller in the personal data transfer program. CC ID 00351	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from requiring independent recourse mechanisms when transferring personal data from one data controller to another data controller. CC ID 12528	Privacy protection for information and data	Business Processes
Notify data subjects when their personal data is transferred. CC ID 00352 [Where a provider of information and communications services or similar transfers personal information of users to a third party due to transfer of business, in whole or in part, merger, or any similar cause, he or she shall notify the users of all the following matters by publishing them on its internet homepage or by electronic mail or any other means specified by Presidential Decree: The fact that the personal information is to be transferred; Article 26(1)(1) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2) A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)]	Privacy protection for information and data	Behavior
Include procedures for transferring personal data to third parties in the personal data transfer program. CC ID 00333 [A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5)]	Privacy protection for information and data	Establish/Maintain Documentation
Notify data subjects of the geographic locations of the third parties when transferring personal data to third parties. CC ID 14414 [A provider of information and communications services or similar who desires to obtain the consent under paragraph (2) shall notify the relevant user of all the following matters in advance: A nation to which the personal information is to be transferred, the date and time, and methods of transfer; Article 63(3)(2)]	Privacy protection for information and data	Communicate
Provide an adequate data protection level by the transferee prior to transferring personal data to another country. CC ID 00314 [A provider of information and communications services or similar shall, when it transfers personal information to abroad with consent under paragraph (2), take protective measures, as prescribed by Presidential Decree. Article 63(4)]	Privacy protection for information and data	Data and Information Management
Refrain from restricting personal data transfers to member states of the European Union. CC ID 00312	Privacy protection for information and data	Data and Information Management
Prohibit the transfer of personal data when security is inadequate. CC ID 00345	Privacy protection for information and data	Data and Information Management
Meet the use of limitation exceptions in order to transfer personal data. CC ID 00346	Privacy protection for information and data	Data and Information Management
Refrain from transferring past the first transfer. CC ID 00347	Privacy protection for information and data	Data and Information Management
Document transfer disagreements by the data subject in writing. CC ID 00348	Privacy protection for information and data	Establish/Maintain Documentation
Allow the data subject the right to object to the personal data transfer. CC ID 00349	Privacy protection for information and data	Data and Information Management
Authorize the transfer of restricted data in accordance with organizational standards. CC ID 16428	Privacy protection for information and data	Records Management
Follow the instructions of the data transferrer. CC ID 00334	Privacy protection for information and data	Behavior
Define the personal data transfer exceptions for transferring personal data to another country when adequate protection level standards are not met. CC ID 00315	Privacy protection for information and data	Establish/Maintain Documentation
Include publicly available information as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00316	Privacy protection for information and data	Data and Information Management
Include transfer agreements between data controllers and third parties when it is for the data subject's interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00317	Privacy protection for information and data	Data and Information Management
Include personal data for the health field and for treatment as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00318	Privacy protection for information and data	Data and Information Management
Include personal data for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00319	Privacy protection for information and data	Data and Information Management
Include personal data for important public interest as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00320	Privacy protection for information and data	Data and Information Management
Include consent by the data subject as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00321	Privacy protection for information and data	Data and Information Management
Include personal data used for a contract as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00322 [{abroad}{refrain from obtaining} A provider, etc. of information and communications services shall obtain consent of the users in the case of intending to provide (including being inquired of), entrust management of, or deposit, such users' personal information, to overseas (hereafter referred to as "transfer" in this Article): Provided, That the said provider, etc. of information and communications services may not go through a procedure for consent to either entrustment of management, or deposit, of the relevant personal information where such transfer is necessary for implementing a contract on the provision of information and communications services and promoting the users' convenience, and such provider, etc. discloses all the matters referred to in each subparagraph of paragraph (3) pursuant to Article 27-2 (1) or informs such matters to the users in a manner prescribed by Presidential Decree, including by means of email. Article 63(2)]	Privacy protection for information and data	Data and Information Management
Include personal data for protecting the data subject or the data subject's interests, such as saving his/her life or providing healthcare as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00323	Privacy protection for information and data	Data and Information Management
Include personal data that is necessary to fulfill international law obligations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00324	Privacy protection for information and data	Data and Information Management
Include personal data used for legal investigations as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00325	Privacy protection for information and data	Data and Information Management
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to another country outside an adequate data protection level. CC ID 00326	Privacy protection for information and data	Data and Information Management
Require transferees to implement adequate data protection levels for the personal data. CC ID 00335	Privacy protection for information and data	Data and Information Management
Refrain from requiring a contract between the data controller and trusted third parties when personal information is transferred. CC ID 12527	Privacy protection for information and data	Business Processes
Define the personal data transfer exceptions for transferring personal data to another organization when adequate protection level standards are not met. CC ID 00336	Privacy protection for information and data	Establish/Maintain Documentation
Include personal data that is publicly available information as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00337	Privacy protection for information and data	Data and Information Management
Include personal data that is used for journalistic purposes or private purposes as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00338	Privacy protection for information and data	Data and Information Management
Include personal data that is used for important public interest as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00339	Privacy protection for information and data	Data and Information Management
Include consent by the data subject as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00340	Privacy protection for information and data	Data and Information Management
Include personal data that is used for a contract as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00341	Privacy protection for information and data	Data and Information Management
Include personal data that is used for protecting the data subject or the data subject's interests, such as providing healthcare or saving his/her life as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00342	Privacy protection for information and data	Data and Information Management
Include personal data that is used for a legal investigation as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00343	Privacy protection for information and data	Data and Information Management
Include personal data that is authorized by a legislative act as a personal data transfer exception for transferring personal data to a third party outside adequate data protection levels. CC ID 00344	Privacy protection for information and data	Data and Information Management
Notify data subjects about organizational liability when transferring personal data to third parties. CC ID 12353	Privacy protection for information and data	Communicate
Notify the data subject of any personal data changes during the personal data transfer. CC ID 00350	Privacy protection for information and data	Behavior
Establish, implement, and maintain Internet interactivity data transfer procedures. CC ID 06949	Privacy protection for information and data	Establish/Maintain Documentation
Obtain consent prior to storing cookies on an individual's browser. CC ID 06950	Privacy protection for information and data	Data and Information Management
Obtain consent prior to downloading software to an individual's computer. CC ID 06951 [A provider of information and communications services shall, when it intends to install a program designed to display advertising information or collect personal information in a user's computer or any other information processing device specified by Presidential Decree, obtain consent from the user. In such cases, it shall notify the purpose of use of the program and the method of deletion. Article 50-5 ¶ 1]	Privacy protection for information and data	Data and Information Management
Refrain from installing software on an individual's computer unless acting in accordance with a court order. CC ID 14000	Privacy protection for information and data	Process or Activity
Remove or uninstall software from an individual's computer, as necessary. CC ID 13998	Privacy protection for information and data	Process or Activity
Remove or uninstall software from an individual's computer when consent is revoked. CC ID 13997	Privacy protection for information and data	Process or Activity
Obtain consent prior to tracking Internet traffic patterns or browsing history of an individual. CC ID 06961	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy impact assessment. CC ID 13712	Privacy protection for information and data	Establish/Maintain Documentation
Include the individuals with whom information is shared in the privacy impact assessment. CC ID 15520	Privacy protection for information and data	Establish/Maintain Documentation
Include how to grant consent in the privacy impact assessment. CC ID 15519	Privacy protection for information and data	Establish/Maintain Documentation
Include the opportunities for individuals to consent to using their information in the privacy impact assessment. CC ID 15518	Privacy protection for information and data	Establish/Maintain Documentation
Include the opportunities for opting out of information collection in the privacy impact assessment. CC ID 15517	Privacy protection for information and data	Establish/Maintain Documentation
Include data handling procedures in the privacy impact assessment. CC ID 15516	Privacy protection for information and data	Establish/Maintain Documentation
Include the intended use of information in the privacy impact assessment. CC ID 15515	Privacy protection for information and data	Establish/Maintain Documentation
Include the reason information is being collected in the privacy impact assessment. CC ID 15514	Privacy protection for information and data	Establish/Maintain Documentation
Include the type of information to be collected in the privacy impact assessment. CC ID 15513	Privacy protection for information and data	Business Processes
Disseminate and communicate the results of the Privacy Impact Assessment to interested personnel and affected parties. CC ID 15458	Privacy protection for information and data	Communicate
Develop remedies and sanctions for privacy policy violations. CC ID 00474 [The operator or the manager of the Internet website may take measures, such as deletion of advertising information for profit posted, in violation of paragraph (1) or (2). Article 50-7(3) A provider of information and communications services may, if it finds that information circulated through the information and communications network operated and managed by him or her intrudes on someone's privacy, defames someone, or violates someone's rights, take temporary measures at its discretion. Article 44-3(1)]	Privacy protection for information and data	Data and Information Management
Define the behaviors and actions that are included in privacy rights violations. CC ID 14852	Privacy protection for information and data	Behavior
Include the individual's name who is the subject of the complaint in the privacy rights violation complaint. CC ID 14359	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from charging a fee to file a privacy rights violation complaint. CC ID 16807	Privacy protection for information and data	Business Processes
Refrain from updating personal data on a regular basis, unless it is necessary for the purposes it was collected. CC ID 13610	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a privacy dispute resolution program. CC ID 12526 [Every provider of telecommunications billing services may install and operate an institution or organization that voluntary resolves disputes to protect rights and interests of users. Article 59(1) A provider of information and communications services or similar shall, in receipt of a request for correction of an error in accordance with paragraph (2), correct the error, notify the user of the reasons why it is unable to correct the error, if it is the case, or take any other necessary measures, and may not use the relevant personal information or furnish it to a third party until he or she completes taking such measures: Provided, That he or she may furnish the personal information to a third party or use the information, if requested to furnish the personal information pursuant to any other Act. Article 30(5) {violate}{right}{make known} A provider of information and communications services shall, upon receiving a request for deletion or rebuttal of the information under paragraph (1), delete the information, take a temporary measure, or any other necessary measure, and shall notify the applicant and the publisher of the information immediately. In such cases, the provider of information and communications services shall make it known to users that he or she has taken necessary measures by posting a public notification on the relevant message board or in any other way. Article 44-2(2)]	Privacy protection for information and data	Establish/Maintain Documentation
Include potential remedies in the privacy dispute resolution program. CC ID 12531	Privacy protection for information and data	Establish/Maintain Documentation
Provide the data subject with the name, title, and address to whom complaints are forwarded. CC ID 00395	Privacy protection for information and data	Establish/Maintain Documentation
Include the time frames in which privacy rights violation complaints are processed in the privacy dispute resolution program. CC ID 12529	Privacy protection for information and data	Establish/Maintain Documentation
Document unresolved challenges. CC ID 13568	Privacy protection for information and data	Establish/Maintain Documentation
Establish, implement, and maintain an accuracy resolution policy. CC ID 00460	Privacy protection for information and data	Establish/Maintain Documentation
Notify individuals of their right to challenge personal data. CC ID 00457 [When the price for goods, etc. sold or provided must be paid, or a provider of telecommunications billing services charges the price therefor, it shall notify the users of telecommunications billing services of the following matters: Methods of raising an objection and contact information. Article 58(1)(4)]	Privacy protection for information and data	Data and Information Management
Notify individuals of their right to object to personal data for legitimate reasons. CC ID 00458	Privacy protection for information and data	Data and Information Management
Terminate an individual's restriction agreement under specific circumstances. CC ID 06260	Privacy protection for information and data	Configuration
Notify individuals of their ability to challenge personal behavioral assessments on record. CC ID 04798	Privacy protection for information and data	Human Resources Management
Notify individuals of their ability to object to personal data processing, absent cost. CC ID 00459	Privacy protection for information and data	Data and Information Management
Notify individuals of the time frame in which they may challenge personal data. CC ID 16861	Privacy protection for information and data	Communicate
Investigate the disputed accuracy of personal data. CC ID 00461	Privacy protection for information and data	Data and Information Management
Notify third parties of unresolved challenges. CC ID 13559	Privacy protection for information and data	Communicate
Document disagreements as to whether personal data is complete and accurate. CC ID 06952 [Where information provided through an information and communications network purposely to be made public intrudes on other persons' privacy, defames other persons, or violates other persons' right otherwise, the victim of such violation may request the provider of information and communications services who managed the information to delete the information or publish a rebuttable statement (hereinafter referred to as "deletion or rebuttal"), presenting explanatory materials supporting the alleged violation. Article 44-2(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Include the change to the personal data that the data subject requested and the reason the organization refused to make the change in the statement of disagreement. CC ID 06954	Privacy protection for information and data	Establish/Maintain Documentation
Include the allegations against the organization in the notice of investigation. CC ID 13031	Privacy protection for information and data	Establish/Maintain Documentation
Refer privacy rights violation complaints to the Privacy Commissioner under certain conditions. CC ID 00481 [{relevant authority} If parties fail to or are unable to reach an agreement on compensation for damages under paragraph (2), either party may file an application for decision with the Korea Communications Commission. Article 60(3)]	Privacy protection for information and data	Behavior
Determine not to investigate privacy rights violation complaints under certain conditions. CC ID 00482	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the act or practice does not interfere with an individual's privacy. CC ID 00483	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the complaint is created outside the stipulated time frame after the complainant became aware of it. CC ID 00484	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint when the complaint is frivolous, vexatious, misconceived, or lacking in substance. CC ID 00485	Privacy protection for information and data	Behavior
Refrain from investigating a privacy rights violation complaint if the act or practice is subject to an application under another commonwealth law, state law, or territory law, and the complaint was or is being dealt with adequately under the law. CC ID 00486	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations under certain conditions. CC ID 00487	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the respondent has made an application for a determination. CC ID 00488	Privacy protection for information and data	Behavior
Defer privacy rights violation complaint investigations when the Privacy Commissioner believes the data subject's interests would not be affected if the investigation or further investigation were deferred until the application was disposed of. CC ID 00489	Privacy protection for information and data	Behavior
Define the organization's liability based on the applicable law. CC ID 00504 [If the trustee violates any provision of this Chapter in connection with the business affairs related to the entrustment of management of personal information and inflicts damages upon a user, the trustee shall be deemed an employee of the provider of information and communications services or similar in determining liability for such damages. Article 25(5) A provider of information and communications services may, if he or she takes necessary measures under paragraph (2) for the informations circulated through the information and communications network operated and managed by it, have its liability for damages caused by such informations mitigated or discharged. Article 44-2(6) A provider of telecommunications billing services shall be liable for damages caused to a user of the telecommunications billing services while rendering the services: Provided, That the same shall not apply in cases where the damages were caused by an intentional act or gross negligence on the part of the user of the telecommunications billing services. Article 60(1)]	Privacy protection for information and data	Establish/Maintain Documentation
Define the sanctions and fines available for privacy rights violations based on applicable law. CC ID 00505	Privacy protection for information and data	Establish/Maintain Documentation
Define the appeal process based on the applicable law. CC ID 00506	Privacy protection for information and data	Establish/Maintain Documentation
Define the fee structure for the appeal process. CC ID 16532	Privacy protection for information and data	Process or Activity
Define the time requirements for the appeal process. CC ID 16531	Privacy protection for information and data	Process or Activity
Disseminate and communicate instructions for the appeal process to interested personnel and affected parties. CC ID 16544	Privacy protection for information and data	Communicate
Disseminate and communicate a written explanation of the reasons for appeal decisions to interested personnel and affected parties. CC ID 16542	Privacy protection for information and data	Communicate
Provide notice of proposed penalties. CC ID 06216	Privacy protection for information and data	Establish/Maintain Documentation
Notify the public and other agencies after a penalty becomes final. CC ID 06217	Privacy protection for information and data	Behavior
Establish, implement, and maintain an anti-spam policy. CC ID 00283	Privacy protection for information and data	Establish/Maintain Documentation
Refrain from sending unsolicited commercial electronic messages under predetermined conditions. CC ID 13993 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically register telephone numbers or email addresses for the purpose of transmitting advertising information for profit; Article 50(5)(3) {refrain from posting} Notwithstanding paragraph (1), where the operator or the manager of an Internet website explicitly expresses his or her intention to refuse to post a notice or to revoke his or her prior consent, no person who intends to post advertising information for profit shall post advertising information for profit. Article 50-7(2)]	Privacy protection for information and data	Communicate
Include contact information in commercial electronic messages. CC ID 15457 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: The name and contact details of a sender; Article 50(4)(1)]	Privacy protection for information and data	Business Processes
Refrain from using misleading subject lines or false subject line on unsolicited commercial electronic messages. CC ID 00294 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to hide the identity of the sender of advertising information or the source from which advertising is transmitted; Article 50(5)(4) {refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Various measures to induce an addressee to reply by deceiving him or her for the purpose of transmitting advertising information for profit. Article 50(5)(5)]	Privacy protection for information and data	Behavior
Refrain from using address-harvesting software to send unsolicited commercial e-mails. CC ID 00298 [{refrain from taking}No person who transmits advertising information for profit by using an electronic transmission medium shall take any of the following measures: Measures to automatically generate an addressee's contact information, such as telephone numbers and email addresses, by combining figures, codes, or letters; Article 50(5)(2)]	Privacy protection for information and data	Behavior
Include that commercial electronic messages may be sent to an individual in any situation where the sender has prior consent from the individual or another existing business relationship in the anti-spam policy. CC ID 00300	Privacy protection for information and data	Establish/Maintain Documentation
Send commercial electronic messages to individuals who have consented to receive them. CC ID 00302 [If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Article 50(1)]	Privacy protection for information and data	Behavior
Send commercial electronic messages to individuals who have an existing relationship with the organization. CC ID 00301 [{refrain from obtaining}If any person intends to transmit advertising information for profit by using an electronic transmission medium, he or she shall obtain explicit prior consent from an addressee to whom such information is addressed: Provided, That where he or she falls under any of the following, he or she need not obtain prior consent: Where a person who has directly collected contact details from the addressee in his or her dealings of goods, etc. intends to transmit advertising information for profit on the same kinds of goods, etc. as those he or she manages and has dealt with the addressee within a period prescribed by Presidential Decree; Article 50(1)(1) {refrain from obtaining} Where any person intends to post advertising information for profit on an Internet website, he or she shall obtain prior consent from the operator or the manager of an Internet website: Provided, That in cases of a message board to which any person can have easy access without special authority and on which any person can post his or her message, he or she need not obtain prior consent. Article 50-7(1)]	Privacy protection for information and data	Behavior
Give customers the opportunity to object to receiving commercial electronic messages. CC ID 00304 [A person who transmits advertising information for profit by using an electronic transmission medium shall specify the following matters in advertising information, as prescribed by Presidential Decree: Matters concerning measures and methods by which an addressee can easily express his or her intention to refuse to receive information or to revoke his or her consent to receive information. Article 50(4)(2)]	Privacy protection for information and data	Data and Information Management
Establish, implement, and maintain a supply chain management program. CC ID 11742 [A person who has commissioned a third party to transmit advertising information for profit on his or her behalf shall control and oversee the person to whom the transmission was commissioned to ensure that the person does not violate Article 50. Article 50-3(1) A provider of information and communications services or similar shall control, supervise and educate the trustee to ensure that the trustee does not violate any provision of this Chapter. Article 25(4)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [A provider of information and communications services may take measures to refuse rendering corresponding services in any of the following cases: If transmission or reception of advertising information hinders or is likely to hinder rendering the services; Article 50-4(1)(1) Any provider of information and communications services or similar shall not conclude an international contract with any term or condition in violation of this Act with respect to personal information of users. Article 63(1) {relevant authority} Every provider of telecommunications billing services shall prepare a standard contract form on telecommunications billing services and report it to the Minister of Science, ICT and Future Planning (including reporting on a revision thereto). Article 56(1)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Review and update all contracts, as necessary. CC ID 11612	Third Party and supply chain oversight	Establish/Maintain Documentation
Document and maintain supply chain processes. CC ID 08816	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain an exit plan. CC ID 15492	Third Party and supply chain oversight	Establish/Maintain Documentation
Include roles and responsibilities in the exit plan. CC ID 15497	Third Party and supply chain oversight	Establish/Maintain Documentation
Test the exit plan, as necessary. CC ID 15495	Third Party and supply chain oversight	Testing
Include contingency plans in the third party management plan. CC ID 10030	Third Party and supply chain oversight	Establish/Maintain Documentation
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768	Third Party and supply chain oversight	Systems Continuity
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the product or service to be provided in third party contracts. CC ID 06509	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the products or services fees in third party contracts. CC ID 10018	Third Party and supply chain oversight	Establish/Maintain Documentation
Include which parties are responsible for which fees in third party contracts. CC ID 10019	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the type of information being transmitted in the information flow agreement. CC ID 14245	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the security requirements in the information flow agreement. CC ID 14244	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the interface characteristics in the information flow agreement. CC ID 14240	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528	Third Party and supply chain oversight	Establish/Maintain Documentation
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of the data or information to be covered in third party contracts. CC ID 06510	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610	Third Party and supply chain oversight	Business Processes
Include text about data ownership in third party contracts. CC ID 06502	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the contract duration in third party contracts. CC ID 16221	Third Party and supply chain oversight	Establish/Maintain Documentation
Include roles and responsibilities in third party contracts. CC ID 13487	Third Party and supply chain oversight	Establish/Maintain Documentation
Include cryptographic keys in third party contracts. CC ID 16179	Third Party and supply chain oversight	Establish/Maintain Documentation
Include bankruptcy provisions in third party contracts. CC ID 16519	Third Party and supply chain oversight	Establish/Maintain Documentation
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531	Third Party and supply chain oversight	Establish/Maintain Documentation
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a reporting structure in third party contracts. CC ID 06532	Third Party and supply chain oversight	Establish/Maintain Documentation
Include points of contact in third party contracts. CC ID 12355	Third Party and supply chain oversight	Establish/Maintain Documentation
Include financial reporting in third party contracts, as necessary. CC ID 13573	Third Party and supply chain oversight	Establish/Maintain Documentation
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516	Third Party and supply chain oversight	Establish/Maintain Documentation
Include training requirements in third party contracts. CC ID 16367	Third Party and supply chain oversight	Acquisition/Sale of Assets or Services
Include an indemnification and liability clause in third party contracts. CC ID 06517	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text regarding foreign-based third parties in third party contracts. CC ID 06722	Third Party and supply chain oversight	Establish/Maintain Documentation
Include change control clauses in third party contracts, as necessary. CC ID 06523	Third Party and supply chain oversight	Establish/Maintain Documentation
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115	Third Party and supply chain oversight	Establish/Maintain Documentation
Include triggers for renegotiating the contract in third party contracts. CC ID 06527	Third Party and supply chain oversight	Establish/Maintain Documentation
Include change control notification processes in third party contracts. CC ID 06524 [When a provider of telecommunications billing services (a person who provides services under Article 2 (1) 10 (a)) amends any of the contractual terms and conditions, he or she shall notify users of the amendment thereof one month prior to the effective date of the amended contractual terms and conditions. In such cases, a user who has an objection to the amended contractual terms and conditions may terminate the contract for telecommunications billing services. Article 58(6)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include cost structure changes in third party contracts. CC ID 10021	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a choice of venue clause in third party contracts. CC ID 06520	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a dispute resolution clause in third party contracts. CC ID 06519 [Every provider of telecommunications billing services shall prepare a procedure for raising an objection by users of telecommunications billing services in connection with the services and redressing damages to their rights, as prescribed by Presidential Decree, and where he or she enters into a contract for telecommunications billing services, he or she shall stipulate such procedure in the terms and conditions of the contract. Article 59(2)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813	Third Party and supply chain oversight	Establish/Maintain Documentation
Include early termination contingency plans in the third party contracts. CC ID 06526	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817	Third Party and supply chain oversight	Establish/Maintain Documentation
Include termination costs in third party contracts. CC ID 10023	Third Party and supply chain oversight	Establish/Maintain Documentation
Include text about obtaining adequate insurance in third party contracts. CC ID 06880	Third Party and supply chain oversight	Establish/Maintain Documentation
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 [A transferee of business or similar may use or furnish personal information only within the scope of purposes originally defined for which any provider of information and communications services or similar uses or furnishes the personal information of users: Provided, That the same shall not apply where he or she separately obtains consent from users. Article 26(3) A provider of information and communications services or similar shall, when he or she entrusts the management of personal information to a third party, define the scope of purposes, in advance, within which the trustee is allowed to manage personal information of users, and the trustee shall not manage the personal information of users beyond the scope of purposes. Article 25(3)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include end-of-life information in third party contracts. CC ID 15265	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 [A provider of telecommunications billing services shall provide users of telecommunications billing services with a method by which users can verify the details of purchase and use, and shall also furnish a user, upon request, with a written statement on the details of purchase and use (including an electronic document; hereinafter the same shall apply) within two weeks from the date requested. Article 58(2)]	Third Party and supply chain oversight	Establish/Maintain Documentation
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432	Third Party and supply chain oversight	Establish/Maintain Documentation
Include disclosure requirements in third party contracts. CC ID 08825	Third Party and supply chain oversight	Business Processes
Include requirements for alternate processing facilities in third party contracts. CC ID 13059	Third Party and supply chain oversight	Establish/Maintain Documentation
Document the organization's supply chain in the supply chain management program. CC ID 09958	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish and maintain a Third Party Service Provider list. CC ID 12480	Third Party and supply chain oversight	Establish/Maintain Documentation
Include required information in the Third Party Service Provider list. CC ID 14429	Third Party and supply chain oversight	Establish/Maintain Documentation
Include subcontractors in the Third Party Service Provider list. CC ID 14425	Third Party and supply chain oversight	Establish/Maintain Documentation
Include alternate service providers in the Third Party Service Provider list. CC ID 14420	Third Party and supply chain oversight	Establish/Maintain Documentation
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422	Third Party and supply chain oversight	Communicate
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430	Third Party and supply chain oversight	Establish/Maintain Documentation
Include all contract dates in the Third Party Service Provider list. CC ID 14421	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481	Third Party and supply chain oversight	Establish/Maintain Documentation
Include criticality of services in the Third Party Service Provider list. CC ID 14428	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a description of data used in the Third Party Service Provider list. CC ID 14427	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the location of services provided in the Third Party Service Provider list. CC ID 14423	Third Party and supply chain oversight	Establish/Maintain Documentation
Document supply chain transactions in the supply chain management program. CC ID 08857	Third Party and supply chain oversight	Business Processes
Document the supply chain's critical paths in the supply chain management program. CC ID 10032	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558	Third Party and supply chain oversight	Establish/Maintain Documentation
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561	Third Party and supply chain oversight	Physical and Environmental Protection
Establish, implement, and maintain Operational Level Agreements. CC ID 13637	Third Party and supply chain oversight	Establish/Maintain Documentation
Include technical processes in operational level agreements, as necessary. CC ID 13639	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838	Third Party and supply chain oversight	Process or Activity
Include the responsible party for managing complaints in third party contracts. CC ID 10022	Third Party and supply chain oversight	Establish Roles
Categorize all suppliers in the supply chain management program. CC ID 00792	Third Party and supply chain oversight	Establish/Maintain Documentation
Include risk management procedures in the supply chain management policy. CC ID 08811	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024	Third Party and supply chain oversight	Business Processes
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027	Third Party and supply chain oversight	Business Processes
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029	Third Party and supply chain oversight	Establish/Maintain Documentation
Establish, implement, and maintain a supply chain management policy. CC ID 08808	Third Party and supply chain oversight	Establish/Maintain Documentation
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397	Third Party and supply chain oversight	Business Processes
Require third parties to employ a Chief Information Security Officer. CC ID 12057	Third Party and supply chain oversight	Human Resources Management
Include supplier assessment principles in the supply chain management policy. CC ID 08809	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the third party selection process in the supply chain management policy. CC ID 13132	Third Party and supply chain oversight	Establish/Maintain Documentation
Select suppliers based on their qualifications. CC ID 00795	Third Party and supply chain oversight	Establish/Maintain Documentation
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a clear management process in the supply chain management policy. CC ID 08810	Third Party and supply chain oversight	Establish/Maintain Documentation
Include roles and responsibilities in the supply chain management policy. CC ID 15499	Third Party and supply chain oversight	Establish/Maintain Documentation
Include third party due diligence standards in the supply chain management policy. CC ID 08812	Third Party and supply chain oversight	Establish/Maintain Documentation
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493	Third Party and supply chain oversight	Communicate
Require suppliers to commit to the supply chain management policy. CC ID 08813	Third Party and supply chain oversight	Establish/Maintain Documentation
Support third parties in building their capabilities. CC ID 08814	Third Party and supply chain oversight	Business Processes
Implement measurable improvement plans with all third parties. CC ID 08815	Third Party and supply chain oversight	Business Processes
Post a list of compliant third parties on the organization's website. CC ID 08817	Third Party and supply chain oversight	Business Processes
Use third parties that are compliant with the applicable requirements. CC ID 08818	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain a conflict minerals policy. CC ID 08943	Third Party and supply chain oversight	Establish/Maintain Documentation
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944	Third Party and supply chain oversight	Establish/Maintain Documentation
Include all in scope materials in the conflict minerals policy. CC ID 08945	Third Party and supply chain oversight	Establish/Maintain Documentation
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946	Third Party and supply chain oversight	Establish/Maintain Documentation
Include all applicable authority documents in the conflict minerals policy. CC ID 08947	Third Party and supply chain oversight	Establish/Maintain Documentation
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948	Third Party and supply chain oversight	Establish/Maintain Documentation
Make the conflict minerals policy Publicly Available Information. CC ID 08949	Third Party and supply chain oversight	Data and Information Management
Establish and maintain a conflict materials report. CC ID 08823	Third Party and supply chain oversight	Establish/Maintain Documentation
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820	Third Party and supply chain oversight	Establish/Maintain Documentation
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821	Third Party and supply chain oversight	Establish/Maintain Documentation
Identify supply sources for secondary materials. CC ID 08822	Third Party and supply chain oversight	Business Processes
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891	Third Party and supply chain oversight	Business Processes
Establish, implement, and maintain outsourcing contracts. CC ID 13124	Third Party and supply chain oversight	Establish/Maintain Documentation
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{business affair}{personal information} A trustee may re-entrust a third party with affairs entrusted pursuant to paragraph (1) only where the trustee obtains consent from the provider, etc. of information and communications services. Article 25(7)]	Third Party and supply chain oversight	Establish/Maintain Documentation