The classification criteria for national information systems will be overhauled from the current focus on "number of users" to a focus on "impact on the public's daily life."
The Ministry of the Interior and Safety said on the 15th that it has prepared a draft of the "Notice on the Safety of Information Systems of Administrative and Public Institutions," which contains these measures, and will begin an advance notice of legislation on the 16th.
Until now, information system grades were managed in four tiers based on criteria such as number of users (50%), business impact (40%), and spread potential (10%). However, when a fire broke out at the National Information Resources Service in Sep. last year, a problem arose in which recovery was delayed because, despite the system being closely tied to the public's daily life, it received a low grade due to a small number of users.
In response, the government decided to shift the grading criteria to focus on public impact. Going forward, public impact (70%) will carry the most weight, and information systems will be classified into A1–A4 grades through a comprehensive assessment that also considers number of users (10%), spread potential (10%), and substitutability (10%). A1 denotes national core, A2 denotes essential for the public, A3 denotes administratively important, and A4 denotes general systems. Grades A1–A3 will be finalized by a grading review committee of up to 30 members that includes private-sector experts.
Response systems in the event of disasters or failures will also be strengthened. Recovery time objectives will be set by grade, and disaster recovery systems (DR) must be built and operated accordingly. Recovery time objectives are within 1 hour for A1, 3–12 hours for A2, 1–5 days for A3, and within 3 weeks for A4.
In addition, at least one live disaster recovery drill will be conducted annually for disaster recovery systems, and periodic backups and off-site backups for all information systems have been mandated to prevent data loss.
The reporting system for information system failures will also be streamlined. When a failure occurs in a critical system, it must be reported immediately to the Ministry of the Interior and Safety (MOIS) digital safety situation room, which will relay it to relevant agencies to support a pan-government response.
Along with this, each agency must establish a basic failure management plan on a three-year cycle and comply with 46 safety standards, including preventive inspections and failure response, prepared by the Ministry of the Interior and Safety (MOIS). It also mandated the conclusion of standard operating procedures for information systems and service level agreements to ensure a certain level of system stability even in private cloud or outsourced operating environments.