国内政策【切换】 国际政策

Korea - Labor Law - etc law on promoting the use of information and communication networks and information protection implementation date 2019（10/21）

CHAPTER VI SECURING OF STABILITY OF INFORMATION AND COMMUNICATIONS NETWORK

Article 45 (Securing of Stability of Information and Communications Network)(1) Every provider of information and communications services shall take protective measures to secure the reliability of the information and security of the information and communications networks.

(2) The Minister of Science and ICT may prescribe and provide a public notice of guidelines for protective measures for information (hereinafter referred to as "information protection guidelines"), specifying details of the protective measures under paragraph (1) and may recommend providers of information and communications services to observe the guidelines.  <Amended by Act No. 11322, Feb. 17, 2012; Act No. 11690, Mar. 23, 2013; Act No. 14839. Jul. 26, 2017>

(3) The information protection guidelines shall contain descriptions of the following:  <Amended by Act No. 14080, Mar. 22, 2016>

1. Technical and physical protective measures, including installation and operation of an information protection system, for a person with no due authorization to prevent or counteract access to invasion upon an information and communications network;

2. Technical protective measures for preventing unlawful leakage, forgery. alteration, or deletion of information;

3. Technical and physical protective measures for securing the state of enabling continuous use of information and communications networks;

4. Administrative protective measures for stabilization of information and communications networks and protection of information, including securing human resources, organization, and expenses and establishing related plans.

[This Article Wholly Amended by Act No. 9119, Jun. 13, 2008]

Article 45-2 (Preliminary Examination on Information Protection)(1) If a provider of information and communications services intends to newly establish an information and communications network or to provide information and communications services, he or she shall take the matters regarding information protection into account in planning or designing thereof.

(2) The Minister of Science and ICT may recommend a person who intends to operate the information and communications services or the telecommunications business falling under any of the following to take protective measures in accordance with the preliminary examination standards as determined by Presidential Decree:  <Amended by Act No. 11690, Mar. 23, 2013; Act No. 14839. Jul. 26, 2017>

1. The information and communications services or telecommunications business determined by Presidential Decree, for which authorization or permission by the Minister of Science and ICT should be obtained or registration with or report to the Korea Communications Commission should be made pursuant to this Act or other statutes or regulations;

2. The information and communications services or telecommunications business determined by Presidential Decree and fully or partially financed by the Minister of Science and ICT for the business expenses thereof.

(3) Standards, methods, procedures, fees for the preliminary examination on protection of information pursuant to paragraph (2) and other necessary matters shall be determined by Presidential Decree.

[This Article Newly Inserted by Act No. 11322, Feb. 17, 2012]

Article 45-3 (Designation of Chief Information Security Officers)(1) In order to ensure security of information and communications systems, etc. and safe management of information, a provider of information and communications services shall designate an executive-level chief information security officer and shall report the designation to the Minister of Science and ICT: Provided, That a provider of information and communications services whose total assets, sales, and the like meet the criteria prescribed by Presidential Decree need not designate a chief information security officer.  <Amended by Act No. 12681, May 28, 2014; Act No. 14839. Jul. 26, 2017; Act No. 15628, Jun. 12, 2018>

(2) Methods and procedures for reporting under paragraph (1) shall be prescribed by Presidential Decree.  <Newly Inserted by Act No. 12681, May 28, 2014>

(3) No chief information security officer designated and reported under the main sentence of paragraph (1) (limited to where a provider of information and communications services meets the criteria prescribed by Presidential Decree with respect to total assets, sales, and the like) may simultaneously hold another office, other than the one performing duties referred to in paragraph (4).  <Newly Inserted by Act No. 15628, Jun. 12, 2018>

(4) A chief information security officer shall be responsible for the following:

1. Establishment, administration, and operation of an administrative system for information protection;

2. Analysis, evaluation, and improvement of the weakness of information protection;

3. Prevention of and response to a computer security incident;

4. Preparation of preliminary measures for information protection and designing, realization, etc. of security measures;

5. Review of a preliminary security for information protection;

6. Review of the encryption of important information and the suitability of a security server;

7. Other matters, such as taking necessary measures for protection of information pursuant to this Act or other relevant statutes or regulations.

(5) A provider of information and communications services may establish and operate an association of chief information security officers comprised of chief information security officers prescribed in paragraph (1) in order to jointly prevent and respond to a computer security incident, share necessary information, and implement other joint programs prescribed by Presidential Decree.

(6) The Government may fully or partially provide financial support to the association of chief information security officers under paragraph (5) for expenses incurred in conducting its activities.  <Amended by Act No. 13343, Jun. 22, 2015; Act No. 15628, Jun. 12, 2018>

(7) Matters regarding qualifications of a chief information security officer, etc. shall be prescribed by Presidential Decree.  <Newly Inserted by Act No. 15628, Jun. 12, 2018>

[This Article Newly Inserted by Act No. 11322, Feb. 17, 2012]

Article 46 (Protection of Clustered Information and Communications Facilities)(1) Every business entity who operates and manages clustered information and communications facilities to render information and communications services on behalf of another person (hereinafter referred to as "business entity of clustered information and communications facilities") shall take protective measures as prescribed by Presidential Decree to operate the information and communications facilities stably.

(2) Every business entity of clustered information and communications facilities shall purchase insurance policies as prescribed by Presidential Decree to cover damages that may be caused by destruction or damage of the clustered information and communications facilities or any other trouble in operation.

[This Article Wholly Amended by Act No. 9119, Jun. 13, 2008]

Article 46-2 (Emergency Countermeasures of Business Entities of Clustered Information and Communications Facilities)(1) In any of the following cases, a business entity of clustered information and communications facilities may fully or partially suspend rendering relevant services, as stipulated in the terms and conditions:  <Amended by Act No. 9637, Apr. 22, 2009; Act No. 11690, Mar. 23, 2013; Act No. 14839. Jul. 26, 2017>

1. If it is anticipated that an abnormality found in the information system of a person who uses clustered information and communications facilities (hereinafter referred to as "user of facilities") will probably cause a serious trouble to the information system of other users of facilities or clustered information and communications facilities;

2. If it is anticipated that an external computer security incident will probably cause serious trouble to the clustered information and communications facilities;

3. If there occurs a serious computer security incident and the Minister of Science and ICT or the Korea Internet and Security Agency requests to suspend the services.

(2) When a business entity of clustered information and communications facilities suspends his or her services in accordance with paragraph (1), he or she immediately notify users of facilities of the suspension of services, specifically stating the reasons for the suspension, the date, time, period, and details of the suspension, and other related matters.

(3) Once the event that caused suspension of services terminates, a business entity of clustered information and communications facilities shall resume his or her services immediately.

[This Article Wholly Amended by Act No. 9119, Jun. 13, 2008]

Article 46-3 Deleted.  <by Act No. 11322, Feb. 17, 2012>

Article 47 (Certification of Information Security Management Systems)(1) With respect to a person who establishes and operates a comprehensive management system, including administrative and technical protective measures, for ensuring stability and reliability of an information and communications network (hereinafter referred to as "information security management system"), the Minister of Science and ICT may certify as to whether such person meets the standards under paragraph (4).  <Amended by Act No. 11322, Feb. 17, 2012; Act No. 11690, Mar. 23, 2013; Act No. 13520, Dec. 1, 2015; Act No. 14839. Jul. 26, 2017>

(2) A telecommunication business entity under subparagraph 8 of Article 2 of the Telecommunications Business Act, or any of the following persons who provides or intermediates the provision of information by using telecommunications services of any telecommunication business entity, shall receive the certification under paragraph (1):  <Newly Inserted by Act No. 11322, Feb. 17, 2012; Act No. 13520, Dec. 1, 2015; Act No. 16019, Dec. 24, 2018>