The Financial Security Institute decided to supplement the certification standards for security management systems for financial firms together with the Personal Information Protection Commission. The controversy has grown after it emerged that Lotte Card, whose internal files were leaked in a hacking incident, received the highest grade in the certification just two days before the breach. The Financial Security Institute plans to strengthen the evaluation items related to financial transaction certifications.
According to the financial industry on the 23rd, the Financial Security Institute plans to soon work with the Personal Information Protection Commission to supplement the personal information and information security management system (ISMS-P) standards for the financial sector. As the commission recently announced a revamp plan for ISMS-P, the institute intends to strengthen its certification standards around the same time. This month, the commission unveiled a plan to upgrade ISMS-P certification with a focus on on-site audits and to consider phased mandatory adoption in key sectors such as mobile telecommunications.
ISMS-P certification is an official certification system that examines whether entities can effectively respond to cyber intrusion threats and whether corporations' information protection systems and customer personal information protection management systems are operated appropriately. It is regarded as the highest level of management system certification in Korea. The scope of certification includes whether the organization necessary for information protection is in place and the adequacy of personal information processing. While the evaluation criteria for ISMS-P are mainly prepared by the Personal Information Protection Commission, the Financial Security Institute is involved in items related to financial transactions.
A Financial Security Institute official said, "Until now, ISMS-P was closer to a 'driver's license' concept that evaluates whether a particular corporations has a basic security system in place," and added, "However, as security issues in the financial sector have spread recently, we intend to revamp the certification system in the direction of strengthening it in cooperation with the Personal Information Protection Commission."
4th month, Lotte Card said it had undergone an audit of 101 ISMS-P certification standards and obtained certification. However, around the same time, a hacking incident led to the leak of information amounting to 200GB (gigabytes). Sensitive information such as resident registration numbers and the CVC (three-digit number on the back of the card) on the back of the card was included, and among the leaked members, for 280,000 people even the possibility of fraudulent use was raised.
As a result, the futility of the certification system has come under scrutiny, with criticism that obtaining ISMS-P does not guarantee safety from cyberattacks. The Financial Security Institute said, "We plan to examine whether there were irresistible factors that could not be prevented even with certification."