From 29d5b2ee60b0ba311729dc74c16731dbee133e3c Mon Sep 17 00:00:00 2001 From: ImanABS Date: Thu, 29 Aug 2024 18:20:22 +0200 Subject: [PATCH] Add K ISMS-P --- backend/library/libraries/k-isms-p.yaml | 32283 ++++++++++++++++++++++ tools/K ISMS-P/K-ISMS-P.xlsx | Bin 0 -> 137190 bytes 2 files changed, 32283 insertions(+) create mode 100644 backend/library/libraries/k-isms-p.yaml create mode 100644 tools/K ISMS-P/K-ISMS-P.xlsx diff --git a/backend/library/libraries/k-isms-p.yaml b/backend/library/libraries/k-isms-p.yaml new file mode 100644 index 000000000..82dc4c91a --- /dev/null +++ b/backend/library/libraries/k-isms-p.yaml @@ -0,0 +1,32283 @@ +urn: urn:intuitem:risk:library:k_isms_p +locale: en +ref_id: K ISMS-P +name: 'K ISMS-P Certification Standard Guide ' +description: "Certification Standard Guide Information Security and Personal Information\ + \ Protection Management System (ISMS-P) \nThe 'Personal information & Information\ + \ Security Management System (ISMS-P)\u2019 is an 'integrated certification system'\ + \ that consolidated 'Personal Information Management System (PIMS) certification'\ + \ and 'Information Security Management System (ISMS) certification'.\n\nHere is\ + \ the link of the document :\nhttps://isms-p.kisa.or.kr" +copyright: KISA +version: 1 +provider: KISA +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:k_isms_p + ref_id: K ISMS-P + name: 'K ISMS-P Certification Standard Guide ' + description: "Certification Standard Guide Information Security and Personal Information\ + \ Protection Management System (ISMS-P) \nThe 'Personal information & Information\ + \ Security Management System (ISMS-P)\u2019 is an 'integrated certification\ + \ system' that consolidated 'Personal Information Management System (PIMS) certification'\ + \ and 'Information Security Management System (ISMS) certification'.\n\nHere\ + \ is the link of the document :\nhttps://isms-p.kisa.or.kr" + requirement_nodes: + - urn: urn:intuitem:risk:req_node:k_isms_p:1 + assessable: false + depth: 1 + ref_id: '1' + name: 'Establishment and Operation of Management System ' + description: (16 Items) + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1 + ref_id: '1.1' + name: Establishing the Foundation of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.1 + name: Participation of Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.1 + description: The responsibilities and roles related to reporting, decision-making, + etc., must be documented to ensure the participation of management, who have + decision-making authority over the overall establishment and operation activities + of the Information Security and Personal Information Protection Management + System. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node6 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node5 + description: The basis for activities, such as the establishment and revision + of information security and personal information protection policies, risk + management, internal audits, etc., must be specified in the information security + and personal information protection policy or implementation documents to + allow management to participate in important matters related to the operation + of the management system. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.1 + description: Reporting, review, and approval procedures must be established + and implemented to enable management to actively participate in decision-making + concerning information security and personal information protection activities. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node8 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node7 + description: Important activities within the Information Security and Personal + Information Protection Management System that involve management should be + defined, and corresponding reporting systems (e.g., regular and irregular + reports, committee participation) should be established. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node9 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node7 + description: Reporting and decision-making procedures, targets, and frequencies + should be determined in accordance with the organization's size and characteristics, + ensuring that management can effectively participate in the establishment + and operation of the management system. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node10 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node7 + description: In line with the established internal procedures, management should + be informed about major matters within the Information Security and Personal + Information Protection Management System and participate in decision-making. + annotation: 'Key Points for Verification: + + - Is the responsibility and role of reporting and decision-making documented + to ensure the participation of management in the overall establishment and + operation activities of the Information Security and Personal Information + Protection Management System? + + - Have reporting, review, and approval procedures been established and implemented + to enable management to actively participate in decision-making concerning + information security and personal information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.2 + name: Designation of the Chief Officer + - urn: urn:intuitem:risk:req_node:k_isms_p:node12 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.2 + description: The Chief Executive Officer (CEO) must officially designate a Chief + Information Security Officer (CISO) and a Chief Privacy Officer (CPO) through + formal procedures such as personnel appointments to effectively oversee and + be responsible for information security and personal information protection + management activities within the organization. + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node13 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node12 + description: The CISO and CPO must be officially appointed through personnel + appointments, and in cases of ex officio appointments, their positions must + be specified in the information security and personal information protection + policy document. + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node14 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.2 + description: The CISO and CPO must be designated at an executive level with + the authority to allocate resources such as budget and personnel, and they + must meet the qualifications required by relevant laws (Refer to Article 36-7 + of the Enforcement Decree of the Information and Communications Network Act). + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node15 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node14 + description: The CISO and CPO should be individuals with knowledge and competence + in information security and personal information protection, designated at + an executive level capable of allocating resources such as budget and personnel, + to effectively oversee the organization's information security and personal + information protection tasks. + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node16 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node15 + description: Information service providers must designate an executive who meets + the criteria prescribed by Presidential Decree as the CISO to ensure the security + and safe management of information and information systems, and report this + to the Minister of Science and ICT. However, in cases where the criteria set + by Presidential Decree are met, reporting may be exempted. + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node17 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node14 + description: Compliance with legal requirements for the designation of a CISO + is necessary (Refer to Article 45-3 of the Information and Communications + Network Act). + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node18 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node14 + description: Compliance with legal requirements for the designation of a Chief + Privacy Officer (CPO) is necessary (Refer to Article 32 of the Enforcement + Decree of the Personal Information Protection Act, etc.). + annotation: 'Key Points for Verification + + - Has the Chief Executive Officer (CEO) officially designated a Chief Officer + who will be responsible for overseeing and managing information security and + personal information protection tasks? + + - Is the Chief Information Security Officer (CISO) and the Chief Privacy Officer + (CPO) designated at an executive level with the authority to allocate resources + such as budget and personnel, and do they meet the qualifications required + by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.3 + name: Organization Structure + - urn: urn:intuitem:risk:req_node:k_isms_p:node20 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.3 + description: Considering the characteristics such as the size of the organization + and the importance of tasks, the basis for the organizational structure necessary + to establish and continuously operate the Information Security and Personal + Information Protection Management System should be specified in the Information + Security and Personal Information Protection Policy or other relevant documents. + Additionally, a working group with expertise should be formed and operated. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node21 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node20 + description: The composition and operation of the Information Security and Personal + Information Protection organization, including the Chief Information Security + Officer (CISO), Chief Privacy Officer (CPO), working groups, and committees, + should be specified in policies, internal management plans, etc. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node22 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node20 + description: The structure and size of the working group should be determined + by considering the overall size of the organization, the nature of its tasks + and services, the importance and sensitivity of the information and personal + data being processed, legal regulations, etc. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node23 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node20 + description: The working group can be composed of either a dedicated team or + a combined team, but even if it is a combined team, roles and responsibilities + must be officially assigned to ensure that the team can perform its duties + effectively. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node24 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node20 + description: Members of the working group should be employees with expertise + in information security and personal information protection, as well as a + good understanding of various services and experience (e.g., holding relevant + degrees and certifications, possessing practical experience, completing relevant + training, etc.). + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node25 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.3 + description: A committee should be established and operated to review, approve, + and make decisions on important information security and personal information + protection matters across the organization. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node26 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node25 + description: The committee should be composed of individuals who represent the + interests within the organization and have real authority for review and decision-making + on information security and personal information protection, including management, + executives, the CISO, and the CPO. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node27 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node25 + description: The committee should be convened regularly or as needed based on + specific issues. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node28 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node25 + description: The committee should review, approve, and make decisions on major + matters across the organization. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node29 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.3 + description: To oversee enterprise-wide information security and personal information + protection activities, a working group composed of relevant officers and departmental + representatives should be established and operated. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node30 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node29 + description: The composition of the working group and its organizational structure + should be determined based on the size of the organization and the importance + of the services within the scope of the management system. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node31 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node29 + description: The working group should share, coordinate, review, and improve + information security and personal information protection matters at the practical + level. If decision-making or management support is required, the issues should + be submitted to the committee for discussion. + annotation: 'Key Points for Verification + + - Is there a specialized working group with expertise that supports the duties + of the Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO) and systematically implements the organization''s information security + and personal information protection activities? + + - Has a committee been established and operated to review, approve, and make + decisions on important information security and personal information protection + matters across the organization? + + - Is there a working group composed of information security and personal information + protection officers, as well as departmental representatives, that is established + and operated to oversee enterprise-wide information security and personal + information protection activities?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.4 + name: Setting the Scope + - urn: urn:intuitem:risk:req_node:k_isms_p:node33 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.4 + description: The scope of the management system must be defined to include key + assets that could impact the organization's core services and the processing + of personal information. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node34 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node33 + description: The management system's scope should comprehensively include all + key tangible and intangible assets related to the business (services), such + as employees, information systems, information, and facilities, without omissions. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node35 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node33 + description: Particularly for those subject to mandatory information security + management systems, the scope must include information and communication services + and related information assets as required by legal obligations. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node36 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.4 + description: If there are any exceptions within the defined scope, clear reasons, + consultation with relevant parties, and approval from responsible individuals + must be documented and managed. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node37 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node36 + description: If the scopes of the Information Security Management System (ISMS) + and the Personal Information Protection Management System (PIPMS) differ, + the list of information assets within the certification scope (e.g., personal + information, systems, networks) must be clearly identified and defined from + both the ISMS and PIPMS perspectives. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node38 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node36 + description: For services and information systems excluded from the certification + scope, the reasons and justifications must be recorded and managed after internal + consultation and approval from the responsible parties. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node39 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.4 + description: Documents containing related content (e.g., key service and business + status, list of information systems, list of documents) must be created and + managed to clearly identify the scope of the Information Security and Personal + Information Protection Management System. + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node40 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Key service and business status (including personal information + processing tasks) + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node41 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Organizational status related to service provision (e.g., organizational + charts) + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node42 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Status of information security and personal information protection + organizations + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node43 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: List of key facilities + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node44 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: List of information systems and network configuration diagrams + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node45 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Criteria for identifying information assets and personal information-related + assets, and the status of these assets + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node46 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: List of Information Security and Personal Information Protection + Systems + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node47 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Service (System) Diagrams and the Flow of Personal Information + Processing (collection, use, provision, storage, management, disposal) + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node48 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: List of Documents (e.g., policies, guidelines, manuals, operation + specifications, etc.) + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node49 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Methods and procedures for establishing the Information Security + and Personal Information Protection Management System, compliance review with + related legal requirements, and internal audits + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node50 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node39 + description: Status of outsourced (entrusted) companies such as customer centers, + IDC (Internet Data Centers), IT development, and operations + annotation: 'Key Points for Verification + + - Is the scope of the management system set to include key assets that could + impact the organization''s core services and the processing of personal information? + + - If there are exceptions within the defined scope, are clear reasons, consultations + with relevant parties, and approvals from responsible individuals documented + and managed? + + - Are documents created and managed that include related content (e.g., key + service and business status, list of information systems, list of documents) + to clearly identify the scope of the Information Security and Personal Information + Protection Management System?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.5 + name: Policy Formulation + - urn: urn:intuitem:risk:req_node:k_isms_p:node52 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + description: 'The highest-level Information Security and Personal Information + Protection policy, which includes the basis for all Information Security and + Personal Information Protection activities conducted by the organization, + must include the following elements:' + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node53 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node52 + description: The commitment and direction of the CEO and other executives regarding + the organization's Information Security and Personal Information Protection. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node54 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node52 + description: The roles, responsibilities, targets, and scope for Information + Security and Personal Information Protection within the organization + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node55 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node52 + description: The basis for the administrative, technical, and physical Information + Security and Personal Information Protection activities carried out by the + organization. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node56 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + description: In order to specifically implement the Information Security and + Personal Information Protection measures outlined in the policy, the organization + must establish detailed guidelines, procedures, manuals, guides, and other + subordinate execution documents that define the necessary methods, procedures, + cycles, and responsible entities in accordance with the organization's characteristics. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node57 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node56 + description: Subordinate execution documents should provide a concrete basis + for all Information Security and Personal Information Protection activities + undertaken by the organization and be tailored to the organization's characteristics, + whether from the perspective of the protection targets or the responsible + entities. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node58 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node56 + description: Policies and implementation documents (such as guidelines and procedures) + must reflect the legal requirements related to personal information protection + (laws, enforcement decrees, enforcement rules, subordinate notices, guides, + etc.) that are relevant to the services and businesses provided by the organization. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node59 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node56 + description: When processing personal information, the internal management plan + must be established in accordance with the Personal Information Protection + Act, including all requirements specified by the relevant legal regulations. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node60 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + description: When creating or revising Information Security and Personal Information + Protection policies and implementation documents, approval must be obtained + from the CEO or an individual delegated by the CEO. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node61 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node60 + description: Ensure thorough consultation and review with stakeholders when + creating or revising policies and implementation documents. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node62 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node60 + description: "Consider the impact of changes to policies and implementation\ + \ documents on the organization\u2019s operations, services, and legal compliance." + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node63 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node60 + description: Keep records of review discussions, such as meeting minutes, and + reflect these considerations in the policies and guidelines. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node64 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node60 + description: Report the finalized policies and implementation documents to the + management and obtain approval. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node65 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.5 + description: When creating or revising Information Security and Personal Information + Protection policies and implementation documents, the latest version must + be provided to relevant employees in an easily understandable format. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node66 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node65 + description: Provide the documents in a format that is easily accessible to + employees and external parties (e.g., electronic bulletin boards, booklets, + training materials, manuals). + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node67 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node65 + description: Immediately publish any changes to the policies and implementation + documents and ensure that the latest version is maintained. + annotation: "Key Points for Verification \n- Has the organization established\ + \ a top-level Information Security and Personal Information Protection policy\ + \ that includes the basis for all Information Security and Personal Information\ + \ Protection activities it undertakes?\n- Has the organization established\ + \ guidelines, procedures, manuals, etc., that define the detailed methods,\ + \ procedures, and cycles necessary for the implementation of the Information\ + \ Security and Personal Information Protection policy?\n- Is the approval\ + \ of the CEO or an individual delegated by the CEO obtained for the creation\ + \ or revision of Information Security and Personal Information Protection\ + \ policies and implementation documents?\n- Is the latest version of the Information\ + \ Security and Personal Information Protection policies and implementation\ + \ documents provided to relevant employees in an easily understandable format?" + - urn: urn:intuitem:risk:req_node:k_isms_p:1.1.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1 + ref_id: 1.1.6 + name: Resource Allocation + - urn: urn:intuitem:risk:req_node:k_isms_p:node69 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.6 + description: The top management must ensure that personnel with expertise in + information security and personal data protection are secured to facilitate + smooth execution of activities. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node70 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node69 + description: Possess specialized knowledge and relevant qualifications (e.g., + degrees or certifications related to information security and personal data + protection). + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node71 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node69 + description: Have practical experience in information security and personal + data protection. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node72 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node69 + description: Complete job-related training in information security and personal + data protection. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node73 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.6 + description: The top management must assess the necessary resources for effective + implementation and continuous operation of the information security and personal + data protection management system and provide the required budget and personnel. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node74 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node73 + description: Annually assess the necessary budget and resources for the effective + establishment and ongoing operation of the information security and personal + data protection management system, and develop and approve budget and personnel + plans. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node75 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node73 + description: Continuously support the required resources (e.g., personnel, organization, + budget) in accordance with the budget and personnel plans. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node76 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.1.6 + description: Develop and implement detailed annual plans for information security + and personal data protection tasks and conduct review, analysis, and evaluation + of the results. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node77 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node76 + description: Establish detailed annual plans for executing information security + and personal data protection tasks, report to management, and implement them. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node78 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node76 + description: Review, analyze, and evaluate the results of the implementation + according to the detailed plans and report to management. + annotation: "Key Points for Verification\n- Are there personnel with expertise\ + \ in information security and personal data protection?\n- To effectively\ + \ implement and continuously operate the information security and personal\ + \ data protection management system, is there an evaluation of the necessary\ + \ resources, and is the required budget and manpower being provided?\n- Is\ + \ there a detailed annual plan for information security and personal data\ + \ protection tasks, and is there a review and analysis of the results of the\ + \ plan\u2019s implementation?" + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1 + ref_id: '1.2' + name: Risk Management + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + ref_id: 1.2.1 + name: Identification of Information Assets + - urn: urn:intuitem:risk:req_node:k_isms_p:node81 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.1 + description: Establish criteria for classifying information assets and identify + and manage all assets within the scope of the information security and personal + data protection management system as a list. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node82 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node81 + description: Develop classification criteria for information assets that match + the characteristics of the organization and ensure that all information assets + are identified according to these criteria. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node83 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node81 + description: Verify and list asset information such as asset name, purpose, + location, responsible person and manager, and managing department. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node84 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node81 + description: Utilize an asset management system or manage assets in various + forms (e.g., documents or spreadsheets) for efficient management. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node85 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node81 + description: When using cloud services, establish classification criteria reflecting + the characteristics of the cloud service (e.g., virtual servers, object storage) + and identify and manage cloud assets accordingly. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node86 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.1 + description: Determine the importance of identified information assets and assign + security classifications based on legal requirements and their impact on business + operations. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node87 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node86 + description: Establish security classification criteria tailored to the characteristics + of each asset, considering legal requirements and their impact on business + operations. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node88 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node86 + description: Assign and manage security classifications for each information + asset according to the established security classification criteria. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node89 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.1 + description: Regularly review the status of information assets to keep the asset + list up-to-date. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node90 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node89 + description: Establish procedures to track newly introduced, changed, and discarded + assets. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node91 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node89 + description: Conduct regular reviews of the information asset status and maintain + the asset list in an up-to-date condition. + annotation: 'Key Points for Verification + + - Have you established criteria for classifying information assets and are + you identifying and managing all assets within the scope of the information + security and personal data protection management system as a list? + + - For identified information assets, do you determine their importance and + assign security classifications considering legal requirements and the impact + on business operations? + + - Do you regularly review the status of information assets and keep the asset + list up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + ref_id: 1.2.2 + name: Analysis of Current Status and Flow + - urn: urn:intuitem:risk:req_node:k_isms_p:node93 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + description: Status and flow analysis serves as a preliminary step for risk + analysis, providing foundational data that allows for risk analysis from various + perspectives. It also enables executives to effectively understand the information + security status and make decisions for risk management. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node94 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node93 + description: Status analysis involves comparing certification standards with + operational status using a GAP analysis table to identify differences between + the certification standards and the operational status. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node95 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node93 + description: Flow analysis is divided into information service flow analysis + and personal data processing stage flow analysis, with the results being illustrated + using flowcharts or diagrams. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node96 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + description: Identify the status of information services across all areas of + the management system, understand and document the business procedures and + processes. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node97 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node96 + description: Identify the status of all information services within the scope + of the management system. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node98 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node96 + description: Understand the business procedures and processes for each information + service. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node99 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node96 + description: Document the business procedures and processes using tools such + as status tables and flowcharts. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node100 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + description: Identify the status of personal data processing within the scope + of the management system and understand the flow of personal data, documenting + it using personal data flow charts and diagrams (for ISMS-P certification). + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node101 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node100 + description: (Step 1) Identify the individual business processes where personal + data processing occurs. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node102 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node100 + description: (Step 2) Create personal data flow charts for each business process, + detailing the lifecycle of personal data. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node103 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node100 + description: '(Step 3) Based on the created personal data flow charts, develop + an overarching personal data flow diagram and business-specific personal data + flow diagrams. These diagrams should clearly illustrate the flow of personal + data through different stages: collection, retention, use/provision, and disposal.' + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node104 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.2 + description: 'Regularly review and manage the business procedures and personal + data flows to ensure they are up-to-date, considering the following aspects, + at least once a year:' + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node105 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Changes in existing services, business operations, and personal + data flows (e.g., new services or service revisions, changes in business procedures, + alterations in personal data processing methods, organizational changes, modifications + in external connections and data flows). + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node106 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Changes in critical information and personal data categories being + processed. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node107 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Changes in the types, configuration, and functions of information + systems and personal data processing systems. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node108 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Emergence of new personal data processing tasks and flows. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node109 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node104 + description: Changes in external conditions such as updates to regulations or + the emergence of new vulnerabilities. + annotation: 'Key Points for Verification + + - Have you identified the status of information services across all areas + of the management system and documented the business procedures and processes? + + - Have you identified the status of personal data processing within the scope + of the management system and documented the flow of personal data using diagrams + such as data flow charts? + + - Do you regularly review business procedures and the flow of personal data + in response to changes in services, business operations, and information assets, + and keep related documents, such as flowcharts, up-to-date?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + ref_id: 1.2.3 + name: Risk Assessment + - urn: urn:intuitem:risk:req_node:k_isms_p:node111 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: Reflecting the characteristics of the organization, define and + document methods for identifying and assessing information security and personal + data protection risks from various aspects, including administrative, technical, + physical, and legal fields. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node112 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: 'Select risk assessment methods: baseline approach, detailed risk + analysis, composite approach, threat and scenario-based methods, etc.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node113 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: 'Reflect the characteristics of the business and organization: + organizational vision and mission, business objectives, service types, compliance, + etc.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node114 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: 'Consider various perspectives: hacking, insider threats, external + management or supervision lapses, violations of personal data regulations, + etc.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node115 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: Consider the latest vulnerabilities and threat trends. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node116 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node111 + description: Risk assessment methodologies can be defined and applied according + to the organization's characteristics, but the process must be rational, and + the results should represent the seriousness of the actual risks. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node117 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: Develop a risk management plan that specifies the risk management + methods and procedures (including personnel, duration, scope, methods, budget, + etc.). + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node118 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Personnel: Involve risk management experts, information security + and personal data protection specialists, legal experts, IT operational managers, + business unit managers, external consultants, etc. (Stakeholder involvement + is necessary.)' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node119 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Duration: Establish a schedule to ensure that risk assessments + are conducted at least once a year.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node120 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Scope: Include all services and assets within the certification + scope (information assets, personal data, systems, physical facilities, etc.).' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node121 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Methods: Define risk assessment methodologies that reflect the + organization''s characteristics.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node122 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node117 + description: 'Budget: Develop an annual budget plan for risk identification + and assessment and obtain approval from executives, including the Chief Information + Security Officer.' + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node123 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: According to the risk management plan, perform risk assessments + for all areas within the scope of the information security and personal data + protection management system at least once a year or as needed. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node124 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Systematically execute assessments based on the pre-established + risk management methods and plans. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node125 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Conduct risk assessments regularly at least once a year, but perform + additional assessments if significant changes occur, such as organizational + changes or the introduction of new systems. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node126 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Incorporate findings from the status and flow analysis of services + and information assets. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node127 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Verify compliance with legal requirements related to information + security and personal data protection based on the latest regulations. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node128 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Ensure compliance with the certification standards for the information + security and personal data protection management system. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node129 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node123 + description: Include a review of the effectiveness of implemented information + security and personal data protection measures. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node130 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: Define an acceptable level of risk for the organization and identify + risks that exceed this level. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node131 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node130 + description: Establish risk assessment criteria considering the impact of various + risks on the organization (likelihood, severity, etc.). + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node132 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node130 + description: Assess the level of risk for identified risks according to the + established criteria. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node133 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node130 + description: Determine the acceptable level of risk (Degree of Assurance) based + on decisions by executives, including the Chief Information Security Officer + and the Personal Data Protection Officer. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node134 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node130 + description: Identify and document risks that exceed the acceptable level of + risk. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node135 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.3 + description: Report the results of risk identification and assessment in a manner + that is easily understood by executives, including the Chief Information Security + Officer and the Personal Data Protection Officer. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node136 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node135 + description: Prepare evaluation reports for identified risks. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node137 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node135 + description: Share and discuss the content with relevant stakeholders for each + identified risk (e.g., operational committees, review boards). + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node138 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node135 + description: Prepare and report the findings in a way that is understandable + and actionable for executives, avoiding technical jargon and focusing on clarity + for decision-making. + annotation: 'Key Points for Verification: + + - Have you defined methods for identifying and assessing risks from various + perspectives, based on the characteristics of the organization or service? + + - Do you develop a detailed risk management plan annually, specifying risk + management methods and procedures (including personnel, duration, scope, methods, + budget, etc.)? + + - Do you perform risk assessments regularly (at least once a year) or as needed, + in accordance with the risk management plan? + + - Have you established an acceptable level of risk for the organization and + identified risks that exceed this level? + + - Do you report the results of risk identification and assessment to management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2 + ref_id: 1.2.4 + name: Selection of Protective Measures + - urn: urn:intuitem:risk:req_node:k_isms_p:node140 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.4 + description: Establish risk treatment strategies (such as risk reduction, risk + avoidance, risk transfer, or risk acceptance) for identified risks, and select + appropriate information security and personal data protection measures for + each risk based on these strategies. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node141 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: It is common to develop risk treatment strategies with the goal + of reducing the risk level. However, depending on the situation, strategies + such as risk avoidance, risk transfer, and risk acceptance should also be + considered. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node142 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: When selecting protective measures, consider the alignment of information + security and personal data protection measures with the certification standards + for the management system. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node143 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: If risk acceptance is chosen due to unavoidable reasons, avoid + unconditional risk acceptance. Instead, carefully review the appropriateness + of the unavoidable reasons and the feasibility of implementing supplementary + measures, and base the decision on clear and objective evidence. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node144 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: Be cautious to ensure that risks involving legal violations are + not included in the acceptable risk category. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node145 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node140 + description: For risks that do not exceed the acceptable risk level but have + a high potential for increased risk due to changes in internal or external + environments, or are considered critical by the organization, consider establishing + protective measures. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node146 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.2.4 + description: Considering the priority of information security and personal data + protection measures, develop an implementation plan that includes a schedule, + responsible departments and individuals, budget, and other relevant elements, + and report this plan to the Chief Information Security Officer and the Personal + Data Protection Officer, as well as other executives. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node147 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node146 + description: Determine priorities based on factors such as the severity and + urgency of the risks, ease of implementation, budget allocation, availability + of resources, and dependencies + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node148 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node146 + description: Prepare an implementation plan for information security and personal + data protection measures that includes the schedule, responsible departments + and individuals, budget, and other relevant details, and present it to executives + for approval. + annotation: 'Key Points for Verification: + + - Have you established risk treatment strategies (such as mitigation, avoidance, + transfer, or acceptance) for identified risks and selected protective measures + for risk management? + + - Have you developed and reported to management a risk treatment plan that + includes a schedule, responsible departments and individuals, budget, and + other relevant elements, considering the prioritization of protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1 + ref_id: '1.3' + name: Operation of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:1.3.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3 + ref_id: 1.3.1 + name: Implementation of Protective Measures + - urn: urn:intuitem:risk:req_node:k_isms_p:node151 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.1 + description: According to the implementation plan, ensure that the selected + protective measures are effectively implemented and report the results to + management, including the Chief Information Security Officer and the Personal + Data Protection Officer, to verify the accuracy and effectiveness of the implementation. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node152 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node151 + description: Regularly report on the progress of the implementation plan, including + completion status, current progress, and reasons for any non-compliance or + delays to the Chief Information Security Officer, the Personal Data Protection + Officer, and other executives. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node153 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node151 + description: Management should review whether the information security and personal + data protection measures have been implemented accurately and effectively + according to the plan. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node154 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node151 + description: If non-compliance or delays occur, analyze the causes, adjust the + implementation plan if necessary, and report to and obtain approval from management. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node155 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node151 + description: If the results of the implementation are found to be ineffective + or raise significant doubts about their effectiveness, establish alternatives + or procedures for additional risk assessments to address the issues. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node156 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.1 + description: Prepare detailed operational specifications that document the implementation + and operational status of protective measures for each certification standard. + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node157 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Confirm whether the certification standards have been selected + (Yes/No): The ''Establishment and Operation of the Management System'' area + is mandatory.' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node158 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Operational Status: Provide a detailed account of the organization''s + policies and operational status compared to the certification standards.**' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node159 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Related Documents: Clearly specify the names and detailed document + numbers of relevant documents (policies, guidelines, etc.) applicable to the + standards.**' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node160 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Records (Evidence): Present documents or evidence generated during + the actual operation of the standards, such as related documents, approval + details, and meeting minutes.**' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node161 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node156 + description: 'Reasons for Not Selecting Standards: If a service or system within + the certification scope is entirely unrelated to a given standard, provide + a detailed explanation for not selecting that standard.**' + annotation: 'Key Points for Verification: + + - Are you effectively implementing protective measures according to the implementation + plan and reporting the results to management so they can verify the accuracy + and effectiveness of the implementation? + + - Are you preparing detailed operational specifications that document the + implementation and operational status of protective measures for each certification + standard of the management system?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3 + ref_id: 1.3.2 + name: Sharing of Protective Measures + - urn: urn:intuitem:risk:req_node:k_isms_p:node163 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.2 + description: You must clearly identify the departments and individuals responsible + for operating or implementing the implemented protective measures. + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node164 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.2 + description: To internalize the information security and personal data protection + management system, you must share or provide training on the relevant content + to the departments and individuals responsible for operating or implementing + the implemented protective measures. + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node165 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node164 + description: 'Shared Content: Revisions and updates to information security + and personal data protection policies and implementation documents, implementation + plans and results for information security and personal data protection measures, + and new security system implementations and improvements.' + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node166 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node164 + description: 'Recipients: Departments and individuals responsible for the actual + operation or implementation of the relevant policies, guidelines, and protective + measures.' + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node167 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node164 + description: 'Sharing Methods: Bulletin boards and email notifications (for + simple issues), meetings, briefings, and training sessions.' + annotation: 'Key Points for Verification: + + - Have you clearly identified the departments and individuals responsible + for operating or implementing the implemented protective measures? + + ) Are you sharing or providing training on the relevant content to the departments + and individuals responsible for operating or implementing the protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.3.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3 + ref_id: 1.3.3 + name: Management of Operational Status + - urn: urn:intuitem:risk:req_node:k_isms_p:node169 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.3 + description: To ensure the effective operation of the management system, you + must identify information security and personal data protection activities + that are required to be performed daily, weekly, monthly, quarterly, semi-annually, + or annually, or on an ongoing basis. You should create and manage a document + (operational status table) that defines the performance cycle and timing, + as well as the responsible parties (departments and individuals), to easily + monitor the status of these activities. + annotation: "Key Points for Verification:\n- Are you documenting and managing\ + \ information security and personal data protection activities that need to\ + \ be performed periodically or continuously for the operation of the management\ + \ system?\n- Does management periodically review and manage the effectiveness\ + \ of the management system\u2019s operational activities?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node170 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.3.3 + description: "Management must periodically verify the effectiveness of the management\ + \ system\u2019s operational activities and address any issues identified through\ + \ improvements." + annotation: "Key Points for Verification:\n- Are you documenting and managing\ + \ information security and personal data protection activities that need to\ + \ be performed periodically or continuously for the operation of the management\ + \ system?\n- Does management periodically review and manage the effectiveness\ + \ of the management system\u2019s operational activities?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node171 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node170 + description: Regularly check to ensure that the operational activities are being + performed periodically or continuously according to the operational status + table, and report the findings to management. + annotation: "Key Points for Verification:\n- Are you documenting and managing\ + \ information security and personal data protection activities that need to\ + \ be performed periodically or continuously for the operation of the management\ + \ system?\n- Does management periodically review and manage the effectiveness\ + \ of the management system\u2019s operational activities?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node172 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node170 + description: "Management should evaluate the effectiveness of the management\ + \ system\u2019s operational activities and, if necessary, take corrective\ + \ actions such as changing responsible parties, adjusting performance cycles,\ + \ or adding, modifying, or removing operational activities." + annotation: "Key Points for Verification:\n- Are you documenting and managing\ + \ information security and personal data protection activities that need to\ + \ be performed periodically or continuously for the operation of the management\ + \ system?\n- Does management periodically review and manage the effectiveness\ + \ of the management system\u2019s operational activities?" + - urn: urn:intuitem:risk:req_node:k_isms_p:1.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1 + ref_id: '1.4' + name: Inspection and Improvement of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:1.4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4 + ref_id: 1.4.1 + name: Review of Compliance with Legal Requirements + - urn: urn:intuitem:risk:req_node:k_isms_p:node175 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.1 + description: You must identify and keep up-to-date with the legal requirements + related to information security and personal data protection that the organization + must comply with. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node176 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node175 + description: Identify the information security and personal data protection + regulations that the organization is required to comply with. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node177 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node175 + description: Continuously monitor the status of amendments and updates to relevant + regulations. Analyze the impact of such changes on the organization and, if + necessary, reflect these changes in internal policies, guidelines, and checklists + to maintain up-to-date compliance + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node178 + assessable: false + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node175 + description: '[Reference] Information Security Disclosure System' + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node179 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.1 + description: Compliance with legal requirements must be reviewed regularly at + least once a year. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node180 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node179 + description: Establish procedures for regularly reviewing compliance with legal + requirements (including review cycle, scope, responsible parties, methods, + etc.) and implement them. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node181 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node179 + description: Promptly take corrective actions for any issues identified during + the compliance review. + annotation: 'Key Points for Verification: + + - Are you identifying and keeping up-to-date with the legal requirements related + to information security and personal data protection that the organization + must comply with? + + - Is compliance with legal requirements reviewed regularly at least once a + year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4 + ref_id: 1.4.2 + name: Inspection of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:node183 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.2 + description: You must establish a management system inspection plan that includes + criteria, scope, frequency, and qualifications for inspection personnel to + check whether the information security and personal data protection management + system is operating effectively according to legal requirements and established + policies, and report this plan to the management. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node184 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node183 + description: 'Inspection Criteria: Include information security and personal + data protection management system certification criteria.' + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node185 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node183 + description: 'Inspection Scope: Cover the entire organization or certification + scope.' + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node186 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node183 + description: 'Inspection Frequency: Must be conducted at least once a year.' + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node187 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node183 + description: 'Inspection Personnel Qualifications: Define qualifications to + ensure objectivity, independence, and expertise in the inspection.' + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node188 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.2 + description: According to the management system inspection plan, you must form + a team with ensured independence, objectivity, and expertise to perform inspections + at least once a year and report any issues discovered to the Chief Information + Security Officer, the Chief Privacy Officer, and other management members. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node189 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node188 + description: Form a team to ensure objectivity, independence, and expertise + in the inspection. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node190 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node188 + description: Conduct inspections at least once a year as per the inspection + plan. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node191 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node188 + description: Prepare an inspection report and present it to the Chief Information + Security Officer, Chief Privacy Officer, and other management members. + annotation: 'Key Points for Verification: + + - Have you established a management system inspection plan that includes criteria, + scope, frequency, and qualifications for personnel to check whether the information + security and personal data protection management system operates effectively + according to legal requirements and established policies? + + - According to the management system inspection plan, do you organize a team + with ensured independence, objectivity, and expertise to conduct inspections + at least once a year and report any issues discovered to the management?' + - urn: urn:intuitem:risk:req_node:k_isms_p:1.4.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4 + ref_id: 1.4.3 + name: Improvement of the Management System + - urn: urn:intuitem:risk:req_node:k_isms_p:node193 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.3 + description: You must analyze the root causes of issues identified through legal + compliance reviews and management system inspections, and establish and implement + preventive and corrective measures. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node194 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node193 + description: For issues identified during inspections, develop and implement + action plans, and verify the completion of these actions. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node195 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node193 + description: Analyze the root causes of identified issues and defects in the + management system. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node196 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node193 + description: Based on the results of the root cause analysis, establish and + implement measures to prevent recurrence and improve the identified issues. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node197 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node193 + description: Share and provide training on the established preventive measures + to relevant parties. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node198 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:1.4.3 + description: You must establish criteria and procedures to verify the accuracy + and effectiveness of preventive and corrective actions. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node199 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node198 + description: Develop key performance indicators (KPIs) for the management system + aspects (such as security performance indicators) to measure the accuracy + and effectiveness of preventive and corrective actions. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node200 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node198 + description: Establish and implement procedures for measuring and monitoring + key performance indicators (KPIs) and security performance indicators. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node201 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node198 + description: Report the results of the verification and measurement of the accuracy + and effectiveness of preventive and corrective actions to the management. + annotation: 'Key Points for Verification: + + - Are you analyzing the root causes of issues identified through compliance + reviews and management system inspections, and establishing and implementing + preventive and corrective measures? + + - Have you established criteria and procedures to verify the accuracy and + effectiveness of the preventive and corrective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2 + assessable: false + depth: 1 + ref_id: '2' + name: Protection Requirements + description: (64 items) + - urn: urn:intuitem:risk:req_node:k_isms_p:2.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.1' + name: Policy, Organization, Asset Management + - urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1 + ref_id: 2.1.1 + name: Policy Maintenance + - urn: urn:intuitem:risk:req_node:k_isms_p:node205 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + description: Regularly establish and implement a process to review the validity + of policies and implementation documents related to information security and + personal data protection (including guidelines, procedures, and guide documents). + When necessary, update or revise the relevant policies and implementation + documents. + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node206 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node205 + description: 'Establishing Procedures: Develop and implement procedures for + the regular validity review of information security and privacy protection + policies and implementation documents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node207 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node205 + description: 'Perform Validity Review: Conduct validity reviews considering + the following aspects to ensure that information security and privacy protection + policies and documents reflect changes in laws and regulations, align with + policies from higher organizations and related institutions, and adapt to + changes in the internal and external environment of the organization.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node208 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Alignment Analysis: Analyze the alignment with information security + and privacy protection policies of higher organizations and related institutions + to ensure mutual consistency. Review for the presence of inconsistencies and + check the appropriateness of the hierarchical structure between policies.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node209 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Document Consistency: Ensure consistency in the periodicity, level, + and method of information security and privacy protection activities across + documents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node210 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Legal Compliance: Review any changes (including upcoming ones) + in information security and privacy protection laws and regulations to ensure + they are appropriately reflected in policies and implementation documents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node211 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Risk Assessment: Incorporate the results of risk assessments and + management system inspections.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node212 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node207 + description: 'Environmental Changes: Consider new threats and vulnerabilities, + changes in the business environment, the introduction of new technologies, + and changes in the information security and privacy protection environment.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node213 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + description: 'Review and Update During Significant Changes: When significant + changes occur in the organization''s internal and external environment, the + impact on information security and privacy protection policies and implementation + documents should be reviewed and updated if necessary.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node214 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'Legal Changes: Review and update according to changes in information + security and privacy protection laws and regulations.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node215 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'Business Environment Changes: Consider updates for significant + changes in the business environment (e.g., entry into new business areas, + large-scale organizational restructuring).' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node216 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'Environmental Changes: Include significant changes in information + security, privacy protection, and IT environments (e.g., introduction of new + security systems or IT systems).' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node217 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'Security Incidents: Review and update policies in response to + significant internal or external security incidents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node218 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node213 + description: 'New Threats: Address new threats or discovered vulnerabilities.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node219 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + description: 'Stakeholder Review for Policy Updates: When revising or creating + new information security and privacy protection policies and implementation + documents, sufficient consultation and review with stakeholders are required.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node220 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node219 + description: 'Stakeholder Identification: Identify and consult with stakeholders, + including the Chief Information Security Officer (CISO), the Chief Privacy + Officer (CPO), relevant information security and privacy protection organizations, + the IT department, departments handling critical information and personal + data, and key information and personal data handlers.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node221 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node219 + description: 'Impact Assessment: Consider the impact of policy and document + changes on operations, legal compliance, and other factors.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node222 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node219 + description: 'Documentation: Keep records of review discussions (e.g., meeting + minutes) and incorporate relevant details into policies and guidelines.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node223 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.1 + description: 'Document Change History Management: Establish and implement a + document management procedure to record and manage the history of changes + (e.g., creation, revision, distribution, disposal) in information security + and privacy protection policies and documents.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node224 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node223 + description: 'Version Control: Manage document versions, dates, reasons for + changes, authors, and approvers by recording the revision history within the + document.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node225 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node223 + description: 'Distribution and Access: Ensure that all relevant employees always + refer to the latest version of the document through proper distribution and + management.' + annotation: 'Key Points for Verification: + + - Have you established and implemented a procedure for regularly reviewing + the validity of information security and personal data protection policies + and implementation documents? + + - When significant changes occur in the internal or external environment of + the organization, do you review the impact on information security and personal + data protection policies and implementation documents, and make revisions + as necessary? + + - Do you obtain review from stakeholders when revising or amending information + security and personal data protection policies and implementation documents? + + - Do you maintain a history of revisions and amendments to information security + and personal data protection policies and implementation documents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1 + ref_id: 2.1.2 + name: Organization Maintenance + - urn: urn:intuitem:risk:req_node:k_isms_p:node227 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.2 + description: Considering the characteristics of the organization related to + the performance of information security and privacy protection tasks, the + roles and responsibilities of relevant managers and personnel must be specifically + defined in the implementation documents. + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node228 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: ' Chief Information Security Officer (CISO) and Chief Privacy Officer + (CPO)' + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node229 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: Information security and privacy protection managers and personnel + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node230 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: Departmental information security and privacy protection managers + and personnel + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node231 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: The CISO and CPO should perform tasks that reflect legal requirements + annotation: 'Conf page 56 of the guide ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node232 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node227 + description: Information security and privacy protection managers, protection + officers, and practitioners should have their roles and responsibilities specifically + defined through job descriptions and other relevant documents to ensure they + can practically support and implement the management duties of the Chief Information + Security Officer (CISO) and Chief Privacy Officer (CPO). + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node233 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.2 + description: A system for evaluating the activities of those responsible for + information security and privacy protection must be established. + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node234 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node233 + description: Develop methods to regularly evaluate information security and + privacy protection activities, such as through Key Performance Indicators + (KPI), Management By Objectives (MBO), and performance appraisals within the + organization. + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node235 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.2 + description: " A system and procedures for communication between the organization\u2019\ + s members and the information security and privacy protection teams must be\ + \ established and implemented" + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node236 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node235 + description: Develop and implement a communication management plan related to + information security and privacy protection. + annotation: 'Key Points for Verification: + + - Are the roles and responsibilities of those in charge of information security + and privacy protection clearly defined? + + - Is there a system in place to evaluate the activities of those responsible + for information security and privacy protection? + + - Are there established and implemented systems and procedures for communication + between the information security and privacy protection teams and other members + of the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1 + ref_id: 2.1.3 + name: Information Asset Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node238 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.3 + description: The handling procedures (creation, acquisition, storage, use, disposal, + etc.) according to the security classification of information assets must + be defined, and appropriate protection measures such as encryption and access + control must be established and implemented accordingly. + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node239 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node238 + description: 'Indicate the security classification (confidential, secret, general, + etc.) of each information asset to enable employees to identify them:' + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node240 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node239 + description: '(Electronic) Documents: Indicate on the document cover or through + watermarking, etc.' + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node241 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node239 + description: 'Hardware assets such as servers: Confirm the security classification + through asset numbers or barcode labels, etc.' + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node242 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node238 + description: Establish and implement handling procedures and security control + standards according to the security classification of information assets (creation, + acquisition, storage, use, disposal, etc.). + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node243 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.1.3 + description: For identified information assets, the person responsible for asset + introduction, modification, disposal, transfer, security management, and the + person in charge of the actual management and operation of the assets (or + the administrator) must be designated to clearly define the responsibilities. + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node244 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node243 + description: Assign responsible persons and administrators for each information + asset and record them in the asset inventory. + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node245 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node243 + description: In the event of personnel changes due to resignation, transfer, + etc., or changes in the status of information assets due to introduction, + modification, or disposal, update the asset inventory to reflect the responsible + persons and administrators for each information asset. + annotation: 'Key Points for Verification: + + - Are handling procedures (creation, acquisition, storage, use, disposal) + and protection measures defined and implemented according to the security + classification of information assets? + + - Are responsible persons and administrators designated for the identified + information assets?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.2' + name: Human Security + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.1 + name: Designation and Management of Key Personnel + - urn: urn:intuitem:risk:req_node:k_isms_p:node248 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Clear criteria for handling personal information and sensitive + information, as well as access to key systems, should be defined. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node249 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Employees and external parties performing key duties should be + designated as key personnel, and their list should be kept up-to-date. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node250 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node249 + description: ' Identify key personnel and formally designate them as key personnel.' + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node251 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node249 + description: ' Maintain a list of designated key personnel.' + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node252 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node249 + description: Update the list when new key personnel are designated, or when + there are changes or removals. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node253 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node249 + description: Regularly review the designation of key personnel for appropriateness + and update the list accordingly. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node254 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Individuals handling personal information as part of their duties + should be designated as personal information handlers, and their list should + be kept up-to-date. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node255 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node254 + description: Maintain a list of personal information handlers who process personal + information as part of their job. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node256 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node254 + description: The list of personal information handlers should include those + handlers employed by subcontractors who have been entrusted with personal + information processing tasks. (However, subcontractors may manage their own + list for personal information handlers who do not have access rights to the + personal information processing system.) + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node257 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Regularly review the designation of personal information handlers + for appropriateness and update the list accordingly. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node258 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.1 + description: Management measures should be established and implemented to minimize + the designation of key personnel and personal information handlers based on + business necessity. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node259 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node258 + description: Designate key personnel and personal information handlers only + when absolutely necessary for business purposes. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node260 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node258 + description: Establish approval procedures for the application and granting + of key personnel and personal information handler privileges. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node261 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node258 + description: Develop and implement management and control measures for key personnel + and personal information handlers, including training, monitoring, etc. + annotation: 'Key Points for Verification: + + - Are the criteria for key tasks, such as handling personal information and + sensitive information, as well as accessing critical systems, clearly defined? + + - Are employees and external parties who perform key tasks designated as key + personnel, and is the list of such personnel kept up-to-date? + + - Are individuals who handle personal information in their job designated + as personal information handlers, and is the list of such individuals kept + up-to-date? + + - Do you establish and implement management measures to minimize the designation + of key personnel and personal information handlers based on business necessity?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.2 + name: Job Role Separation + - urn: urn:intuitem:risk:req_node:k_isms_p:node263 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.2 + description: 'To prevent potential harm from the misuse or abuse of privileges, + the following job separation criteria must be established and applied:' + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node264 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of development and operational roles + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node265 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of information security officers, personal information + handlers, and information security and personal information monitoring roles + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node266 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of operational roles between information systems and + personal information processing systems (servers, databases, etc.) + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node267 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of information security and personal information protection + management from information security and personal information protection audit + functions + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node268 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of personal information protection management from the + operation of personal information processing systems + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node269 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Separation of personal information protection management from the + development of personal information processing systems, etc. + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node270 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node263 + description: Prohibition of granting rights to external contractor staff for + user account registration/deletion (deactivation) and access right registration/modification/deletion + (with compensatory controls applied if unavoidable) + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node271 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.2 + description: 'If job separation is unavoidably difficult due to reasons such + as a small organization size or lack of human resources, compensatory controls, + such as mutual review among role holders and ensuring accountability, must + be established:' + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node272 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node271 + description: Management to prevent misuse or abuse through mutual review among + role holders and approval by senior management + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node273 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node271 + description: ' Ensuring accountability through the use of individual accounts, + logging, and audits/monitoring' + annotation: 'Key Points for Verification: + + - Are criteria for job separation established and applied to prevent potential + damage from the misuse or abuse of privileges? + + - If job separation is difficult to implement, are there compensatory controls + in place, such as mutual review between job holders, regular monitoring by + senior management, approval of changes, and ensuring accountability?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.3 + name: Security Pledges + - urn: urn:intuitem:risk:req_node:k_isms_p:node275 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + description: New employees must sign an information security and personal data + protection agreement that specifies their responsibilities in these areas. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node276 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node275 + description: When new employees join, they should sign an agreement outlining + the necessity and responsibilities of information security and personal data + protection, compliance with internal policies and relevant regulations, and + confidentiality obligations. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node277 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node275 + description: In the event of significant changes such as changes in employment + conditions, the agreement should be revised accordingly. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node278 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + description: When granting access to information assets (including personal + data) and information systems to external personnel such as temporary staff + or outsourced workers, an agreement must be obtained that specifies their + responsibilities for information security and personal data protection, as + well as confidentiality obligations. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node279 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node278 + description: The agreement should include necessary details such as responsibilities + for information security and personal data protection, confidentiality obligations, + compliance with internal regulations and relevant laws, and liability for + damages arising from non-compliance with these obligations. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node280 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + description: Upon an employee's resignation, a separate confidentiality agreement + must be obtained. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node281 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node280 + description: Ensure that departing employees are clearly aware of their legal + responsibilities in case of information leakage by obtaining a confidentiality + agreement (to be included in the resignation process). + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node282 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.3 + description: Information security, personal data protection, and confidentiality + agreements should be securely stored and managed to be easily retrievable + when needed. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node283 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node282 + description: Store and manage these agreements in a secure manner, such as in + a locked cabinet or a document repository with access controls, to be used + as evidence of legal responsibility in case of legal disputes. + annotation: 'Key Points for Verification: + + - Are new employees required to sign an information security and personal + data protection agreement that clearly specifies their responsibilities in + these areas? + + - When granting access to information assets to external personnel such as + temporary staff or outsourced workers, is an agreement obtained that outlines + their responsibilities for information security, personal data protection, + and confidentiality obligations? + + - Upon an employee''s resignation, is a separate confidentiality agreement + obtained? + + - Are information security, personal data protection, and confidentiality + agreements securely stored and managed in a way that they can be easily retrieved + when needed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.4 + name: Awareness and Training + - urn: urn:intuitem:risk:req_node:k_isms_p:node285 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: 'The annual information security and personal data protection training + plan must be developed with specific details including the timing, duration, + target audience, content, and methods of training, and receive approval from + management. This plan should include:' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node286 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node285 + description: 'Types of Training: Employee awareness training, training for key + personnel, personal data handlers, contractors, and specialized training.' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node287 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node285 + description: 'Training Plan: Objectives, target audience, content, methods, + schedule, and duration (differentiated based on business scale, amount of + personal data held, nature of work, target audience, and type of training).' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node288 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node285 + description: 'Approval: Review and approval of the training plan, including + budget allocation to ensure it is carried out as planned' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node289 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: You must conduct regular training sessions at least once a year + for all employees and external parties within the management system's scope, + according to the annual training plan, and provide additional training in + response to significant changes in relevant laws and regulations. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node290 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: 'Inclusion: All personnel with direct or indirect access to information + assets, including employees, temporary staff, and external service providers.' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node291 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: 'Contractors and Delegated Employees: Provide relevant materials + to ensure the contractor performs the training, and manage and supervise the + implementation.' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node292 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: 'Frequency: At least once a year (especially for personal data + handlers, as legal requirements mandate annual personal data protection training).' + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node293 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: "Content: Ensure that the training content includes all necessary\ + \ information for employees and relevant external parties to understand and\ + \ comply with the organization\u2019s management system and policies." + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node294 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: Develop and implement methods for training personnel who missed + sessions due to business trips, vacations, or work commitments (e.g., additional + training sessions for absentees, supplementary training, online courses). + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node295 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node289 + description: Conduct additional training in the event of significant changes + to internal regulations and procedures, security incidents within or outside + the organization, or changes in relevant laws and regulations. However, if + the issues are not critical, alternative methods such as bulletin board notices, + email notifications, or distribution of booklets may be used. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node296 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: Implement information security and personal data protection training + before new employees and external contractors start their work. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node297 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node296 + description: Provide information security and personal data protection training + either at the point of hiring or before commencing duties to ensure understanding + of organizational policies, precautions, and legal responsibilities for violations. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node298 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: Ensure that employees within IT and information security roles + receive specialized training to enhance their expertise in information security + and personal data protection. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node299 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node298 + description: IT staff, Chief Information Security Officer, Chief Personal Data + Protection Officer, personal data handlers, and information security personnel. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node300 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node298 + description: Participation in conferences, seminars, and workshops related to + information security and personal data protection; outsourced training from + specialized institutions; internal training with external experts. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node301 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.4 + description: Keep records of training activities and assess the effectiveness + and appropriateness of the training to incorporate findings into future training + plans. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node302 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node301 + description: Maintain records such as training announcements, materials, and + attendance logs. Evaluate the appropriateness and effectiveness of the training + using pre-established criteria through surveys or tests. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node303 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node301 + description: Develop measures to address areas for improvement identified in + training evaluations and reflect these measures in the next training plan. + annotation: 'Key Points for Verification: + + - Have you established an annual training plan for information security and + personal data protection that includes the timing, duration, target audience, + content, and methods of training, and received approval from management? + + - Are you conducting regular training sessions at least once a year for all + employees and external parties within the management system''s scope, in accordance + with the annual training plan, and providing additional training in response + to significant changes in relevant laws and regulations? + + - Are you implementing information security and personal data protection training + before employees start their work and for new contracts with external parties? + + - Are employees in IT and information security, personal data protection organizations + receiving additional training to enhance their expertise in their specific + roles related to information security and personal data protection? + + - Are records of training activities maintained, and is the effectiveness + and appropriateness of the training evaluated and reflected in the next training + plan?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.5 + name: Management of Employee Termination and Role Changes + - urn: urn:intuitem:risk:req_node:k_isms_p:node305 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.5 + description: Personnel changes due to retirement, job changes, departmental + transfers, or leave of absence must be promptly communicated among relevant + departments such as HR, information security, personal data protection, and + systems operations. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node306 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node305 + description: Procedures must be established and implemented to ensure that personnel + change information is quickly shared among the relevant organizations and + systems. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node307 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.5 + description: When personnel (employees, temporary staff, outsourced workers, + etc.) retire or change roles within the organization, procedures must be established + and implemented for the prompt return of information assets, revocation or + adjustment of access rights, and verification of these actions. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node308 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node307 + description: Procedures must be established and implemented for the return of + access cards and assets, deletion or locking of accounts, revocation or adjustment + of access rights, and security checks during retirement or job changes. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node309 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node307 + description: If account sharing was unavoidable, the password for the shared + account must be changed immediately. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node310 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node307 + description: Records must be maintained, and compliance with the retirement + procedures should be reviewed regularly. + annotation: 'Key Points for Verification: + + - Are personnel changes due to retirement, job changes, departmental transfers, + or leave of absence communicated and shared among the HR department, information + security and personal data protection department, and information systems + and personal data processing systems operational departments? + + - Have procedures been established and implemented to ensure the prompt return + of information assets, retrieval or adjustment of access rights, and verification + of these actions when an employee (including full-time employees, temporary + staff, and outsourced personnel) retires or changes their job role?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.2.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2 + ref_id: 2.2.6 + name: Actions in Case of Security Violations + - urn: urn:intuitem:risk:req_node:k_isms_p:node312 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.6 + description: ' Regulations must be established for penalizing employees and + relevant external parties who violate information protection and privacy responsibilities + and obligations as per laws, regulations, and internal policies.' + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node313 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node312 + description: Establish investigation, clarification, and disciplinary action + criteria and procedures for cases of non-compliance with relevant laws and + internal regulations, failure to fulfill responsibilities, and damage, misuse, + or exposure of important information and personal data. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node314 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node312 + description: Consider compensation measures for those who diligently fulfill + their information protection and privacy responsibilities and obligations. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node315 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.2.6 + description: Actions must be taken according to internal procedures when violations + of information protection and privacy are detected. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node316 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node315 + description: Implement actions based on the reward and punishment regulations + and record the outcomes. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node317 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node315 + description: Use the incident for company-wide announcements or as a case in + training if necessary. + annotation: 'Key Points for Verification: + + - Have regulations been established regarding the penalties for employees + and relevant external parties who violate information protection and privacy + responsibilities and obligations in accordance with laws, regulations, and + internal policies? + + - When violations of information protection and privacy are detected, are + actions taken according to internal procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.3' + name: External Security + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + ref_id: 2.3.1 + name: Management of External Parties + - urn: urn:intuitem:risk:req_node:k_isms_p:node320 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.1 + description: You must clearly identify the status of outsourcing and the use + of external facilities and services within the scope of the management system. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node321 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node320 + description: Identify the status of outsourcing and the use of external facilities + and services within the management system's scope. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node322 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node320 + description: Develop and continuously update a list of the status of outsourcing + and the use of external facilities and services. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node323 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.1 + description: 'Identify Legal Requirements and Risks Associated with Outsourcing + and the Use of External Facilities/Services and Implement Appropriate Safeguards:' + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node324 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Determine if the outsourcing involves personal data processing. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node325 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Assess if there is any transfer of personal data abroad. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node326 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Identify relevant legal requirements such as those under the Personal + Information Protection Act and the Information and Communications Network + Act. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node327 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Perform a risk assessment related to outsourcing and the use of + external facilities/services, including compliance with legal requirements. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node328 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node323 + description: Develop and implement appropriate protective measures based on + the risk assessment results. For example, perform concentrated on-site inspections + with different frequencies and checklists for high-risk service providers. + annotation: 'Key Points for Verification: + + - Are you identifying the current status of outsourcing and the use of external + facilities and services within the scope of the management system? + + - Are you identifying the legal requirements and risks associated with outsourcing + and the use of external facilities and services, and implementing appropriate + protective measures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + ref_id: 2.3.2 + name: Security in External Contracts + - urn: urn:intuitem:risk:req_node:k_isms_p:node330 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.2 + description: When selecting external services and contractors related to the + processing of critical information and personal data, procedures must be established + to consider their information security and privacy protection capabilities + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node331 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node330 + description: Ensure that vendors with information security and privacy protection + capabilities are selected by incorporating relevant requirements into the + Request for Proposal (RFP) and evaluation criteria. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node332 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.2 + description: 'When outsourcing organizational information processing tasks or + using external services, the following security requirements must be defined + and reflected in the contract:' + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node333 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Compliance with information security and privacy protection laws, + and submission of an information security and privacy protection pledge. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node334 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Regular information security training and periodic security inspections + for employees performing outsourced tasks. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node335 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Measures to prevent the leakage of critical information acquired + during task performance. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node336 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Restrictions on external internet access, physical protection measures + (e.g., equipment and media access control), endpoint security (e.g., antivirus + installation, secure password setup and periodic changes, screen saver settings), + and restrictions on wireless network usage. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node337 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Procedures for granting and revoking access permissions to prevent + excessive privileges when accessing information systems. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node338 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Restrictions on subcontracting, and procedures and security requirements + for any necessary subcontracting. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node339 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node332 + description: Penalties for non-compliance with security requirements, liability + for damages, and reporting obligations in the event of security incidents. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node340 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.2 + description: When outsourcing the development of information systems and personal + data processing systems, the contract must specify the information security + and privacy protection requirements that must be adhered to during development. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node341 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Compliance with legal requirements related to information security + and privacy protection. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node342 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Application of development security procedures, including adherence + to secure coding standards. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node343 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Vulnerability assessments and remediation for the completed information + systems and personal data processing systems. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node344 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Security management of development-related deliverables, source + code, and development data within the development environment. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node345 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Obligation to maintain confidentiality regarding information acquired + during the development process. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node346 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node340 + description: Liability for damages and other responsibilities in case of violations. + annotation: 'Key Points for Verification: + + - When selecting external services and contractors related to the processing + of critical information and personal data, have procedures been established + to consider their information security and privacy protection capabilities? + + - Are the information security and privacy protection requirements for using + external services and outsourcing tasks identified and specified in contracts + or agreements? + + - When outsourcing the development of information systems and personal data + processing systems, are the information security and privacy protection requirements + to be followed during development specified in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + ref_id: 2.3.3 + name: Management of Security Compliance by External Parties + - urn: urn:intuitem:risk:req_node:k_isms_p:node348 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.3 + description: External parties must undergo periodic checks or audits to ensure + compliance with the information security and privacy protection requirements + specified in contracts, agreements, and internal policies. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node349 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node348 + description: Regularly conduct checks or audits to ensure adherence to the defined + security requirements when engaging with external parties. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node350 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node348 + description: Checks or audits should be conducted before the commencement of + work, during the ongoing process, and at the end of the work, with additional + checks as needed. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node351 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node348 + description: Determine the frequency and method of inspections based on factors + such as the external party's information security and privacy protection capabilities, + possession of their own systems, and the volume and sensitivity of the information + being processed. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node352 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.3 + description: When issues are identified during checks or audits of external + parties, a corrective action plan must be developed and implemented. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node353 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node352 + description: Share the results of inspections and audits, establish and implement + measures to address identified issues and prevent recurrence. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node354 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node352 + description: Perform follow-up checks to ensure the completion and effectiveness + of corrective actions. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node355 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.3 + description: When a subcontractor entrusted with personal data processing tasks + subcontracts the work to a third party, the principal must give consent. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node356 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node355 + description: A personal data processing subcontractor may only subcontract to + a third party with the principal's consent and must ensure that the subcontractor + implements the same level of technical and managerial protective measures + as required by the principal. + annotation: 'Key Points for Verification: + + - Are periodic checks or audits conducted to ensure that external parties + comply with the information security and privacy protection requirements specified + in contracts, agreements, and internal policies? + + - When issues are found during checks or audits of external parties, is a + corrective action plan developed and implemented? + + - When a subcontractor to whom personal data processing tasks are entrusted + subcontracts the work to a third party, is the consent of the principal obtained?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.3.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3 + ref_id: 2.3.4 + name: Security in Contract Changes and Expiration + - urn: urn:intuitem:risk:req_node:k_isms_p:node358 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.4 + description: Security measures must be established and implemented to ensure + that, upon the expiration of external contracts, completion of work, or changes + in responsible personnel, procedures are followed for the return of information + assets, deletion of information system access accounts, destruction of important + information, and collection of confidentiality agreements. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node359 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node358 + description: Develop information-sharing mechanisms to ensure that the responsible + organization can promptly recognize the expiration of external contracts, + completion of work, or changes in responsible personnel. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node360 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node358 + description: Establish and implement security measures related to the expiration + of external contracts, completion of work, or changes in responsible personnel. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node361 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.3.4 + description: Upon the expiration of external contracts, procedures must be established + and implemented to verify whether the external party retains important information + and personal data related to the contracted work and to ensure that such information + is recovered and disposed of. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node362 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node361 + description: "To recover and dispose of personal data and other important information,\ + \ either visit the contractor\u2019s office in person or remotely delete the\ + \ personal data and obtain a confirmation of destruction." + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node363 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node361 + description: Ensure deletion measures are applied not only to information systems + and responsible personnel's PCs but also to all devices and media where the + relevant information is stored, including email inboxes. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node364 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node361 + description: Dispose of the information using secure methods to prevent recovery + or reconstruction. + annotation: 'Key Points for Verification: + + - Are security measures established and implemented to ensure that upon the + expiration of external contracts, completion of work, or changes in responsible + personnel, official procedures are followed for the return of information + assets, deletion of information system access accounts, and collection of + confidentiality agreements? + + - Upon the expiration of an external contract, do you have procedures in place + to confirm whether the external party retains any important information or + personal data related to the contracted work, and to ensure its return or + destruction?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.4' + name: Physical Security + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.1 + name: Designation of Protected Areas + - urn: urn:intuitem:risk:req_node:k_isms_p:node367 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.1 + description: To protect personal information, important information, documents, + storage media, major equipment, and systems from physical and environmental + threats, criteria for designating physical protection zones, such as control + zones, restricted areas, and visitor areas, must be established. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node368 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node367 + description: Designate physical protection zones such as visitor areas, restricted + areas, and control zones. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node369 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node367 + description: Select and define the terminology and distinctions for protection + zones according to the organization's environment. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node370 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.1 + description: According to the criteria for designating physical protection zones, + the zones must be designated and protection measures for each zone must be + established and implemented. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node371 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node370 + description: Apply protection measures for each zone, including access control + methods (such as ID cards or biometric authentication), authorized personnel, + access procedures, and video surveillance. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node372 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node370 + description: Since control zones are designed to limit access to authorized + personnel even within the organization, mark these zones as controlled when + necessary to prevent unauthorized access attempts, and periodically review + for any illegal access attempts. + annotation: 'Key Points for Verification: + + - To protect personal information, important information, documents, storage + media, major equipment, and systems from physical and environmental threats, + are criteria for designating physical protection zones, such as control zones, + restricted areas, and visitor areas, established? + + - Are protection zones designated according to the physical protection zone + criteria, and are protection measures established and implemented for each + zone?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.2 + name: Access Control + - urn: urn:intuitem:risk:req_node:k_isms_p:node374 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.2 + description: You must establish access control procedures to ensure that only + authorized individuals can enter each protected area and manage the list of + authorized personnel. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node375 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: Define the departments, roles, and tasks that are permitted to + access each protected area, identify employees who have been granted access + rights, and manage their status. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node376 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: For controlled areas, ensure that only a minimal number of individuals + are allowed entry based on work needs. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node377 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: 'Access control procedures should include: access request, approval + by the responsible person, granting and revoking access rights, recording + access history, and regular review of access records.' + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node378 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: Install access control devices such as password-based, ID card-based, + or biometric-based systems. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node379 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node374 + description: Establish and operate access control procedures, including registration + and deletion of access, management of access rights, visitor management, and + access log management. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node380 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.2 + description: Entry records for each protected area should be preserved for a + specified period, and access records and permissions should be reviewed periodically. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node381 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: Preserve entry records for a specified period to enable post-event + monitoring, either in paper or electronic form. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node382 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: Review access records and permissions for issues such as long-term + non-access, abnormal access attempts, or excessive access permissions. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node383 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: Identify unauthorized access attempts and long-term non-access, + investigate the reasons, and take appropriate actions. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node384 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: Through periodic reviews, recover access cards from former employees + and remove their access rights, and adjust access rights due to job changes. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node385 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node380 + description: If the system cannot log access, maintain a manual access log to + verify entry records. + annotation: 'Key Points for Verification: + + - Are access controls in place to ensure that only authorized individuals + can enter the protected areas according to the access procedures? + + - Are entry records for each protected area, including those for internal + and external personnel, preserved for a specified period, and are access records + and permissions reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.3 + name: Protection of Information Systems + - urn: urn:intuitem:risk:req_node:k_isms_p:node387 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.3 + description: You should separate the physical locations of information systems + based on their importance, purpose, and characteristics. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node388 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node387 + description: For information systems such as personal data processing systems, + network equipment, security systems, and backup equipment, use server racks + to protect the systems from external threats. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node389 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node387 + description: For high-importance systems like personal data processing systems, + install locking mechanisms on server racks and manage them in cages with additional + physical security measures to restrict access to only essential personnel. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node390 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.3 + description: You should establish a means to easily verify the actual physical + locations of information systems (e.g., layout diagrams, asset lists). + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node391 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node390 + description: Manage physical layout diagrams (facility cross-sections, layout + diagrams, etc.) and asset lists to facilitate prompt action in case of security + incidents or failures. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node392 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node390 + description: Include physical location information in asset lists and keep them + updated to maintain the most current records. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node393 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.3 + description: You should protect power and communication cables from physical + damage and electrical interference. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node394 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node393 + description: Implement measures such as physical separation and wiring, identification + marking, maintaining distance to avoid mutual interference, and cable burial. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node395 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node393 + description: Restrict access to distribution panels, high-voltage rooms, low-voltage + rooms, etc., to authorized personnel only. + annotation: 'Key Points for Verification: + + - Are you segregating the physical locations of information systems based + on their importance, purpose, and characteristics? + + - Have you established measures to easily verify the actual physical locations + of information systems? + + - Are power and communication cables protected from physical damage and electrical + interference from external sources? + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.4 + name: Operation of Protective Equipment + - urn: urn:intuitem:risk:req_node:k_isms_p:node397 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.4 + description: For each protected area, based on its importance and characteristics, + you must equip it with necessary facilities and establish and implement operational + procedures to prepare for potential hazards such as fire, flooding, power + failures, and other man-made or natural disasters. + annotation: 'Key Points for Verification: + + - Have you equipped each protected area with necessary facilities and established + operational procedures to prepare for potential hazards such as fire, flooding, + and power failures, based on the importance and characteristics of the area? + + - If you outsource operations to an external data center (IDC), have you included + physical protection requirements in the contract and are you periodically + reviewing the operational status?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node398 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.4 + description: When outsourcing to an external data center (IDC), you must incorporate + physical security requirements into the contract and regularly review the + operational status. + annotation: 'Key Points for Verification: + + - Have you equipped each protected area with necessary facilities and established + operational procedures to prepare for potential hazards such as fire, flooding, + and power failures, based on the importance and characteristics of the area? + + - If you outsource operations to an external data center (IDC), have you included + physical protection requirements in the contract and are you periodically + reviewing the operational status?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node399 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node398 + description: Ensure compliance with information security regulations, and apply + physical security controls such as disaster and emergency preparedness (for + fire, power failures, etc.), access control, asset entry and exit control, + and video surveillance. Also, address issues related to damage compensation + in case of incidents. + annotation: 'Key Points for Verification: + + - Have you equipped each protected area with necessary facilities and established + operational procedures to prepare for potential hazards such as fire, flooding, + and power failures, based on the importance and characteristics of the area? + + - If you outsource operations to an external data center (IDC), have you included + physical protection requirements in the contract and are you periodically + reviewing the operational status?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node400 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node398 + description: Verify whether the IDC has liability insurance (failure to have + insurance may result in a fine of up to 2 million won). + annotation: 'Key Points for Verification: + + - Have you equipped each protected area with necessary facilities and established + operational procedures to prepare for potential hazards such as fire, flooding, + and power failures, based on the importance and characteristics of the area? + + - If you outsource operations to an external data center (IDC), have you included + physical protection requirements in the contract and are you periodically + reviewing the operational status?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.5 + name: Operations in Protected Areas + - urn: urn:intuitem:risk:req_node:k_isms_p:node402 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.5 + description: Official work request and execution procedures must be established + and implemented for situations requiring work within protected areas, such + as the introduction or maintenance of information systems. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node403 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node402 + description: When performing work in controlled areas, procedures such as work + requests, approvals, and recording work details must be followed. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node404 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node402 + description: Record details such as the date and time of work, purpose and content + of the work, the name of the contractor and responsible personnel, and the + names of reviewers and approvers. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node405 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node402 + description: Establish procedures for accessing protected areas for work, ensure + traceability of work details, and implement monitoring measures. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node406 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.5 + description: Work records must be periodically reviewed to verify whether work + within protected areas was appropriately conducted according to control procedures. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node407 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node406 + description: Regularly review pre-approval details, access records, and work + logs. + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node408 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node406 + description: Ensure consistency between access requests and access details (logbook, + system logs, etc.) + annotation: 'Key Points for Verification: + + - Have official work request and execution procedures been established and + implemented for situations requiring work within protected areas, such as + information system installation and maintenance? + + - To verify whether work within protected areas has been appropriately conducted + according to control procedures, are work records being reviewed periodically?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.6 + name: Control of Equipment Exit and Entry + - urn: urn:intuitem:risk:req_node:k_isms_p:node410 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.6 + description: When bringing in or taking out information systems, mobile devices, + storage media, etc., into or out of protected areas, control procedures must + be established and implemented to prevent security incidents such as information + leakage or malware infection. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node411 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node410 + description: Information systems (servers, network equipment, etc.), mobile + devices (laptops, smart pads, smartphones, etc.), storage media (HDD, SSD, + USB memory, external hard disks, CD/DVD, tapes, etc.). + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node412 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node410 + description: Prior approval from the responsible person for access control to + the protected area, recording in the access control log, performing security + checks on devices (such as checking for antivirus installation, security updates, + malware infection, security sticker attachment, and any information leakage), + and periodic review of entry and exit records. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node413 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node410 + description: Exception request and approval, recording in the access control + log, etc. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node414 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.6 + description: Records of the entry and exit control procedures must be maintained + and managed, and the compliance with these procedures should be verified by + regularly checking the entry and exit logs. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node415 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node414 + description: Maintain records of entry and exit history within protected areas + (e.g., entry and exit logs, access control system logs, etc.). + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node416 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.6 + description: Regularly review entry and exit logs to ensure that entries and + exits within the protected areas are appropriately conducted in accordance + with control procedures. + annotation: 'Key Points for Verification: + + - Have control procedures been established and implemented to prevent security + incidents such as information leakage or malware infection when bringing in + or taking out information systems, mobile devices, storage media, etc., into + or out of protected areas? + + - Are records being maintained and managed according to the control procedures + for bringing in and out these items, and is there a periodic review of the + entry and exit history to verify compliance with these procedures?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4 + ref_id: 2.4.7 + name: Security of the Work Environment + - urn: urn:intuitem:risk:req_node:k_isms_p:node418 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + description: Protection measures must be established and implemented for facilities + and office equipment used in common, such as document storage rooms, shared + PCs, multifunction printers, and file servers. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node419 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Document storage room: Minimize the number of people with access, + assign access rights based on department and job, manage access history.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node420 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Shared PC: Assign a responsible person, set a screen saver, configure + login passwords, regularly change passwords, limit storage of important information, + install antivirus software, apply security updates, etc.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node421 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Shared office equipment: Prohibit leaving important documents + unattended near shared office equipment like fax machines, copiers, and printers.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node422 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'File server: Assign access rights based on department and job, + minimize unnecessary information disclosure, issue user accounts per individual.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node423 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Shared office space: Prohibit leaving important information (personal + information) documents unattended in shared office spaces such as meeting + rooms or project rooms.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node424 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node418 + description: 'Other: Establish protection measures for other shared work environments.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node425 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + description: ' Protection measures must be established and implemented to prevent + the leakage or exposure of personal information and important information + through personal work environments, such as work PCs, desks, and drawers.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node426 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: 'Protection when leaving the workstation: Prohibit leaving personal + information and documents containing personal information or auxiliary storage + media unattended (clean desk policy), set screen savers and passwords, etc.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node427 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: Prohibit exposure of login information (e.g., passwords) on monitors + and desks + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node428 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: Store documents and external storage devices containing personal + or sensitive information in a secure location with a lock. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node429 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: Shred documents containing personal and important information using + a shredder to prevent recovery. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node430 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node425 + description: Take measures to prevent unauthorized individuals from accessing + and tampering with management terminals. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node431 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + description: ' Necessary protection measures must be implemented to prevent + the loss, theft, or leakage of personal information included in printed materials + or copies and to safely manage these printed materials and copies.' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node432 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.4.7 + description: 'Compliance with information protection measures in personal and + shared work environments must be regularly reviewed. ' + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node433 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node432 + description: Non-compliance with security regulations in personal and shared + work environments should be managed according to disciplinary regulations. + annotation: 'Key Points for Verification: + + - Are protection measures established and implemented for facilities and office + equipment used in common, such as document storage rooms, shared PCs, multifunction + printers, and file servers? + + - Have protection measures been established and implemented to prevent the + leakage or exposure of personal and important information through personal + work environments, such as work PCs, desks, and drawers? + + - Are necessary protection measures in place to safely manage printed or copied + materials containing personal information, such as paper documents? + + - Is compliance with information protection regularly reviewed in both personal + and shared work environments?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.5' + name: Authentication and Access Management + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.1 + name: User Account Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node436 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.1 + description: 'To control unauthorized access to information systems and personal + or sensitive information, formal procedures for the registration, modification, + deletion, and termination of user accounts and access rights should be established + and implemented, considering the following:' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node437 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Issuance of Unique User Accounts: Each user and personal information + handler should be issued a unique user account, and account sharing should + be prohibited.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node438 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Appropriate Review Procedures: When issuing or modifying accounts + and access rights, ensure proper approval procedures and appropriateness reviews + are in place.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node439 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Access Rights Adjustments: Change or revoke access rights promptly + in the event of personnel transfers, resignations, or other HR movements (including + account deletion or deactivation).' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node440 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Default and Test Accounts: After installing information systems, + remove or change default and test accounts provided by manufacturers or vendors + to obscure or difficult-to-guess credentials.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node441 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node436 + description: 'Record Maintenance: Maintain and manage records related to the + registration, modification, deletion, and termination of user accounts and + access rights.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node442 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.1 + description: 'When creating, registering, or modifying user accounts and access + rights for information systems and personal or sensitive information, only + the minimum necessary permissions required for the job should be granted according + to a role-based access control system:' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node443 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node442 + description: 'Role-Based Permissions: Grant access rights based on job requirements, + with differential access based on the necessity to perform specific duties.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node444 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node442 + description: 'Need-to-Know and Need-to-Do Principles: Grant access to important + information and personal data strictly based on the need-to-know and need-to-do + principles.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node445 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node442 + description: 'Segmentation of Rights: Avoid unnecessary or excessive access + to important or personal information by implementing granular permission settings.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node446 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node442 + description: 'Approval Procedures: Ensure appropriateness reviews through approval + procedures when granting or modifying access rights.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node447 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.1 + description: When granting user accounts and access rights, it must be clearly + communicated that the individual is responsible for the security of their + account. + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node448 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node447 + description: 'Documentation of Responsibility: Clearly specify the responsibilities + and obligations related to the account in information security and privacy + policies, agreements, or declarations. This includes prohibiting sharing or + lending accounts and passwords to others and providing guidelines for secure + login practices in public places.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node449 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node447 + description: 'Communication Methods: Utilize various methods to communicate + these responsibilities, such as agreements, emails, system notifications, + and training sessions.' + annotation: 'Key Points for Verification: + + - Are formal procedures established and implemented for the registration, + modification, and deletion of user accounts and access rights to information + systems, personal information, and sensitive information? + + - When creating or modifying user accounts and access rights to information + systems and personal or sensitive information, are only the minimum necessary + permissions required for the job assigned according to the role-based access + control system? + + - When granting accounts and access rights to users, is there a clear communication + that the security responsibility for the account lies with the user?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.2 + name: User Identification + - urn: urn:intuitem:risk:req_node:k_isms_p:node451 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.2 + description: When registering users for information systems and personal data + processing systems, unique identifiers must be assigned to each user and personal + data handler, and the use of guessable identifiers must be restricted. + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node452 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'One User, One Account Principle: Ensure accountability by issuing + a unique account to each user.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node453 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'Account Sharing and Public Account Restrictions: Limit the sharing + of accounts and the use of public accounts.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node454 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'Operating Accounts: Restrict general user access to system operating + accounts.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node455 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'Default Accounts: After system installation, remove or change + default and test accounts from manufacturers or vendors to non-guessable identifiers + (including changing default passwords).' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node456 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node451 + description: 'Administrator Accounts: Restrict the use of easily guessable identifiers + (e.g., root, admin, administrator) for administrative and special privilege + accounts.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node457 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.2 + description: If sharing the same identifier is unavoidable for business reasons, + the reasons and validity must be reviewed and approved by the responsible + party. + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node458 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node457 + description: 'Role Separation: Even if administrator accounts are shared due + to role division, assign separate user accounts and log in with the user account + before switching to the administrator account.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node459 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node457 + description: 'Temporary Account Sharing: If accounts are temporarily shared + for maintenance or similar tasks, change the password immediately after the + task is completed.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node460 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node457 + description: 'Public Accounts: If the use of public accounts is necessary for + business reasons, review and approve the reasons and validity, and implement + additional control measures to ensure accountability.' + annotation: 'Key Points for Verification: + + - Are unique identifiers assigned to users and personal data handlers in information + systems and personal data processing systems, and is the use of guessable + identifiers restricted? + + - If there are unavoidable reasons for sharing the same identifier, are the + reasons and validity reviewed, and are corrective measures put in place with + the approval of the responsible party?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.3 + name: User Authentication + - urn: urn:intuitem:risk:req_node:k_isms_p:node462 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.3 + description: Access to information systems and personal data processing systems + must be controlled according to secure user authentication procedures, including + user authentication, login attempt limits, and warnings for illegal login + attempts. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node463 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node462 + description: Examples of user authentication methods + annotation: ' You can find it page 95' + - urn: urn:intuitem:risk:req_node:k_isms_p:node464 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node462 + description: Examples of measures to control account misuse and unauthorized + authentication attempts + annotation: ' You can find it page 96' + - urn: urn:intuitem:risk:req_node:k_isms_p:node465 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node462 + description: When using Single Sign-On (SSO) to provide convenience in business + operations, additional protective measures should be implemented due to the + potential for increased damage in the event of account theft. Based on a risk + assessment, enhanced authentication methods and re-authentication requirements + for access to critical systems should be applied. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node466 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.3 + description: When accessing personal data processing systems from outside through + information communication networks such as the internet, secure authentication + methods must be applied in accordance with legal requirements. For personal + data processing systems that handle data from information subjects rather + than users, secure access methods or authentication methods such as Virtual + Private Networks (VPNs) can be used. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node467 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node466 + description: Secure authentication methods refer to procedures beyond entering + user accounts and passwords to identify and authenticate legitimate personal + data handlers. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node468 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node466 + description: Examples of secure authentication methods include certificates, + security tokens, and one-time passwords (OTPs). + annotation: ' You can find it page 96' + - urn: urn:intuitem:risk:req_node:k_isms_p:node469 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node466 + description: Personal data handlers must comply with legal requirements related + to authentication methods when accessing personal data processing systems + from external networks. + annotation: 'Key Points for Verification: + + - Is access to information systems and personal data processing systems controlled + according to secure user authentication procedures, including user authentication, + login attempt limits, and warnings for illegal login attempts? + + - When accessing personal data processing systems from external networks, + are secure authentication methods or secure access methods applied in accordance + with legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.4 + name: Password Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node471 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.4 + description: You must establish and implement password management procedures + and creation rules to ensure that users and administrators set and use secure + passwords. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node472 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node471 + description: 'Examples of password creation rules (enforced systemically except + in unavoidable cases):' + annotation: ' You can find it page 98' + - urn: urn:intuitem:risk:req_node:k_isms_p:node473 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node471 + description: Examples of Password Management Procedures + annotation: ' You can find it page 98' + - urn: urn:intuitem:risk:req_node:k_isms_p:node474 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.4 + description: Password rules must be established and enforced to ensure that + users set and use secure passwords. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node475 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node474 + description: Follow guidelines for user and personal data handler passwords, + but adjust rules based on the service's characteristics and risk level. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node476 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node474 + description: Implement secure procedures for password recovery in case of loss + or theft, including identity verification. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node477 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.4 + description: Authentication methods for personal data handlers or users must + be applied and managed securely. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node478 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node477 + description: When using passwords, establish and apply secure password rules. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node479 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node477 + description: For other authentication methods (e.g., certificates, PINs, biometrics, + security tokens), implement protective measures to prevent unauthorized access + or theft. + annotation: 'Key Points for Verification: + + - Have you established and implemented secure user password management procedures + and creation rules for information systems? + + - Have you established and implemented password creation rules to ensure that + data subjects (users) can use secure passwords? + + - Are you securely applying and managing authentication methods for personal + data handlers or data subjects?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.5 + name: Management of Special Accounts and Permissions + - urn: urn:intuitem:risk:req_node:k_isms_p:node481 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.5 + description: Administrative and other special privileges should be granted only + to the minimum number of individuals necessary. Formal authorization and approval + procedures must be established and implemented. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node482 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node481 + description: Define account and privilege types for special purposes such as + information system management, personal data management, and important information + management. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node483 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node481 + description: Establish and enforce procedures for issuing, changing, and revoking + special accounts and privileges, ensuring that applications and approvals + follow formal procedures. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node484 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node481 + description: Apply stricter criteria for granting special accounts and privileges + compared to general user accounts and privileges (e.g., requiring approval + from executives or security officers). + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node485 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.5 + description: Establish and enforce control procedures to identify and manage + special accounts and privileges, maintaining a separate list. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node486 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node485 + description: Create and manage a list of individuals with special privileges. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node487 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node485 + description: Minimize exceptions and enhance monitoring for individuals with + special privileges. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node488 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node485 + description: Apply procedures to create special privileges for external parties + (e.g., for system maintenance) only when necessary and promptly delete or + suspend them after the work is completed. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node489 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node485 + description: Regularly review the status of special privilege holders to keep + the list current. + annotation: 'Key Points for Verification: + + - Are formal authorization and approval procedures established and enforced + to ensure that special privileges, such as administrative rights, are granted + only to the minimum number of individuals necessary? + + - Are accounts and privileges granted for special purposes identified and + managed through a separate list, with control procedures in place?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.5.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5 + ref_id: 2.5.6 + name: Access Rights Review + - urn: urn:intuitem:risk:req_node:k_isms_p:node491 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.6 + description: Records must be maintained for the creation, registration, granting, + use, modification, and revocation of user accounts and access rights related + to information systems, personal data, and critical information. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node492 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node491 + description: 'User account and access rights details should include all necessary + information to ensure accountability:' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node493 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node492 + description: 'Account/Access Rights Application Information: Applicant or proxy, + application date and time, purpose of application, usage period, etc.' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node494 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node492 + description: 'Account/Access Rights Approval Information: Approver, approval + or denial status, reasons, and date/time, etc.' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node495 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node492 + description: 'Account/Access Rights Registration Information: Registrant, registration + date, registration method (e.g., system integration, manual registration, + etc.)' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node496 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node492 + description: 'Account/Access Rights Information: Target system name, access + rights name, details of rights, etc.' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node497 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node491 + description: 'Access rights records should be retained for a period reflecting + legal requirements:' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node498 + assessable: false + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node497 + description: 'For personal data processors under the "Personal Information Protection + Act": at least 3 years.' + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node499 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.6 + description: Criteria, responsible parties, methods, and frequency for assessing + the appropriateness of user accounts and access rights to information systems, + personal data, and critical information must be established, and regular reviews + must be conducted. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node500 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node499 + description: Establish review procedures for access rights, including review + parties, methods, criteria, frequency (recommended at least quarterly), and + reporting results. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node501 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.5.6 + description: If issues such as excessive access rights, non-compliance with + authorization procedures, or misuse of rights are found during access rights + reviews, procedures for addressing these issues must be established and implemented. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node502 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node501 + description: Establish and implement procedures that include requesting explanations, + analyzing causes, developing corrective measures, and reporting systems if + suspicious situations such as excessive rights, procedural non-compliance, + or misuse are detected. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node503 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node501 + description: Notify users and relevant parties of any changes applied to access + rights after the review. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node504 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node501 + description: If similar issues recur, analyze the root cause and establish measures + to prevent recurrence. + annotation: 'Key Points for Verification: + + - Are records maintained for the creation, registration, granting, use, modification, + and revocation of user accounts and access rights related to information systems, + personal data, and critical information? + + - Have criteria, review parties, methods, and frequencies for assessing the + appropriateness of user accounts and access rights to information systems, + personal data, and critical information been established, and is regular review + being carried out? + + - If issues such as excessive access rights, non-compliance with authorization + procedures, or misuse of privileges are identified during access rights reviews, + have corrective action procedures been established and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.6' + name: 'Access Control + + ' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.1 + name: Network Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node507 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + description: Organizations must establish and implement network access control + management procedures to identify all pathways that can access the organization's + network and effectively prevent and respond to related risks such as unauthorized + access to the network. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node508 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node507 + description: Control the use of unauthorized IPs by assigning IP addresses to + information systems, personal information processing systems, PCs, etc., following + an approval process. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node509 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node507 + description: Control unauthorized individuals and devices from accessing the + internal network. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node510 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node507 + description: Block unnecessary services and ports installed on network equipment. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node511 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + description: The network must be segmented physically or logically based on + the importance of services, user groups, information assets, and legal requirements, + with access control applied between these segments. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node512 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node511 + description: Determine the level of network segmentation and access control + between areas of critical business operations through risk assessment. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node513 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node511 + description: ' Network segments separated by access control policies must be + controlled so that only services necessary for business operations are allowed + to access them. This can be achieved using intrusion prevention systems, network + equipment ACLs, and similar measures.' + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node514 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + description: Organizations must establish IP address assignment standards for + different network segments and ensure that important systems, such as database + servers, that do not need to connect to external networks are assigned private + IP addresses to prevent direct external access. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node515 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node514 + description: Keep the IP address allocation status up to date and manage it + securely with a confidentiality level of at least "confidential" to prevent + external leaks. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node516 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node514 + description: Use a private IP address scheme within the internal network and + apply NAT (Network Address Translation) to prevent the internal address scheme + from being exposed externally. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node517 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node514 + description: When assigning private IP addresses, use private IP address ranges + in accordance with international standards. + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node518 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.1 + description: Organizations must establish a secure connection environment when + connecting networks with physically separate locations such as IDCs, branches, + agencies, partners, and customer centers by using dedicated lines or VPNs + (Virtual Private Networks). + annotation: 'Key Points for Verification: + + - Have all the pathways that can access the organization''s network been identified, + and is access to the internal network controlled so that only authorized users + can access it according to the access control policy? + + - Is the network segmented physically or logically based on the importance + of services, user groups, information assets, and legal requirements, and + is access control applied between these segments? + + - Have criteria been established for assigning IP addresses by network segment, + and are measures being implemented, such as assigning private IPs to database + servers that do not require external connections? + + - Are protection measures in place for transmission sections when connecting + networks to physically separated locations such as IDC (Internet Data Center), + branches, or agencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.2 + name: Information System Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node520 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + description: Access to the operating systems (OS) of information systems such + as servers, network systems, and security systems must be controlled by defining + authorized users, accessible locations, and access methods. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node521 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Establish procedures for account and permission requests and approvals. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node522 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Assign individual accounts to each user and restrict the use of + shared accounts. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node523 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Regularly review and update account usage, including checking for + long-term inactive accounts and unnecessary accounts. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node524 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Restrict access locations by limiting the IP addresses of users. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node525 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Consider enhanced authentication methods for administrators and + other users with special privileges, such as certificates or OTP (One-Time + Password). + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node526 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Apply secure access methods such as SSH and SFTP. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node527 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node520 + description: Implement access control measures for connections between servers + within the same network segment. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node528 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + description: If no work is performed for a certain period after accessing the + information system, measures must be taken to automatically disconnect the + session. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node529 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node528 + description: Set session timeout duration based on server characteristics, work + environment, risk level, and legal requirements. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node530 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + description: Services or ports that are unrelated to the intended purpose of + the information system or that could cause security incidents must be identified + and removed or blocked. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node531 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node530 + description: Implement additional security features for insecure services, protocols, + and daemons. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node532 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node530 + description: Restrict the use of insecure services or protocols such as Netbios, + File-Sharing, Telnet, and FTP unless absolutely necessary, and use secure + technologies like SSH, SFTP, or IPSec VPN. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node533 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.2 + description: Servers that provide key services must be operated on independent + servers. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node534 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node533 + description: Web servers, database servers, and applications that provide direct + services to external users or store and process sensitive information must + be operated on independent servers, not shared equipment. + annotation: 'Key Points for Verification: + + - Is access to operating systems (OS) for information systems such as servers, + network systems, and security systems controlled by defining authorized users, + accessible locations, and access methods? + + - Is the system automatically disconnected after a certain period of inactivity + following a connection to the information system? + + - Are services unrelated to the intended purpose of the information system + removed? + + - Are information systems that provide key services operated on separate servers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.3 + name: Application Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node536 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: ' To control access to sensitive information, access rights to + applications must be differentiated according to the user''s job function.' + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node537 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Clearly identify internal applications (e.g., back-office systems, + member management systems). + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node538 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Identify personal information processing systems within the applications. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node539 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Establish a user and personal information handler access rights + classification system (e.g., an access rights classification table) based + on the principle of least privilege. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node540 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Implement application features that allow detailed configuration + of permissions for processing sensitive information and personal data (e.g., + input, view, modify, delete, download, print). + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node541 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Establish and enforce procedures for granting, modifying, and deleting + accounts and permissions for identified applications and personal information + processing systems. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node542 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node536 + description: Maintain records of permission grants, modifications, and deletions + to review the validity of access rights. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node543 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: Sessions without input for a certain period must be automatically + terminated, and the number of simultaneous sessions for the same user must + be limited. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node544 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node543 + description: Determine and apply session timeout settings considering the characteristics + and risk levels of each application and task. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node545 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node543 + description: For personal information processing systems, ensure that sessions + are automatically terminated if there is no activity for a specified period, + in accordance with legal requirements. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node546 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node543 + description: Display warning messages and restrict access when there is a simultaneous + login attempt with the same account. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node547 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: Administrator-only applications (e.g., admin web pages, management + consoles) must be controlled to prevent unauthorized access. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node548 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node547 + description: Block external access to administrator-only applications and implement + access restrictions based on IP addresses. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node549 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node547 + description: If external access is unavoidable, apply secure authentication + methods (e.g., OTP) or secure connection methods (e.g., VPN). + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node550 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node547 + description: Regularly monitor access logs and event logs for administrators + and personal information handlers. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node551 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node547 + description: When detecting suspicious activity, conduct a detailed investigation + and follow predefined procedures, including internal reporting. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node552 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: To ensure consistency in the application of measures limiting the + display of personal and sensitive information, related standards must be established + and applied. + annotation: 'Examples of standards for limiting the display of personal and + sensitive information: + + Name: Mask the middle character(s) of the name (for two-character names, mask + the last character; for names with four or more characters, mask all but the + first and last characters). + + Resident registration number: Mask the last 7 digits of the 13-digit number. + + Phone number, mobile number: Mask the area code. + + Address: Mask the building number and detailed address numbers below the street + name. + + Email address: Mask all but the first two characters of the ID. + + Card number: Mask six digits starting from the seventh digit. + + IP address: Mask bits 17-24 (IPv4) or bits 113-128 (IPv6), etc.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node553 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.3 + description: ' Applications must be designed and operated to minimize unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading).' + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node554 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: When printing or displaying personal and sensitive information + (e.g., on screen, in downloads) through applications (such as personal information + processing systems), specify the purpose and minimize the output items based + on that purpose. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node555 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: Ensure that, depending on the work environment, purpose, type, + and location, only the minimum necessary personal information is output within + the scope of access rights to the personal information processing system. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node556 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: Prevent 'like' searches of personal information unless absolutely + necessary for business purposes. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node557 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: When searching for personal information, ensure that unnecessary + or excessive information is not displayed by using exact match (equal search) + or multiple search criteria. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node558 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: Take measures to ensure that personal information is not stored + in hidden fields within office files (such as Excel) + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node559 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node553 + description: Ensure that unnecessary personal information is not displayed through + actions like viewing the webpage source. + annotation: 'Key Points for Verification: + + - To control access to sensitive information, are access rights to applications + differentiated according to the user''s job function? + + - Is the system configured to automatically terminate sessions after a period + of inactivity, and limit the number of concurrent sessions for the same user? + + - Are access controls in place to ensure that administrative applications + (such as admin web pages or management consoles) are inaccessible to unauthorized + users? + + - Have relevant standards been established and applied to ensure consistency + in protection measures for displaying personal and sensitive information? + + - Are applications designed and operated in a way that minimizes unnecessary + exposure of personal and sensitive information (e.g., viewing, screen display, + printing, downloading, etc.)?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.4 + name: Database Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node561 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.4 + description: You must identify and continuously update the information being + stored and managed, such as the list of tables in the database. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node562 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node561 + description: Identify the list of tables used in the database, the information + stored, and their relationships. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node563 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node561 + description: Identify the storage locations (database and table names, column + names) and status (number of records, encryption status) of critical and personal + information. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node564 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node561 + description: Regularly review and update the database status. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node565 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.4 + description: You must clearly identify the applications, information systems + (servers), and users that need access to information within the database and + control access according to the access control policy. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node566 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Establish and implement access control policies for database access + rights, distinguishing between administrators (DBAs) and users (e.g., access + control at the table, view, column, and query levels based on the principle + of least privilege). + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node567 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Restrict access to tables and columns containing critical information + to authorized personnel only. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node568 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Differentiate accounts with DBA privileges from those with other + privileges such as read-only access. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node569 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Limit the shared use of accounts between applications and users. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node570 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Restrict executable commands by account. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node571 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Delete unused accounts, test accounts, and default accounts. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node572 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Automatically block access if no activity is performed for a specified + period. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node573 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Restrict unauthorized access to the database. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node574 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Ensure that databases storing personal information are not located + on publicly exposed networks such as DMZs. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node575 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Block unauthorized access from other network zones and servers. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node576 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Restrict IP addresses, ports, and applications that are allowed + to access the database. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node577 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node565 + description: Ensure that general users can access the database only through + authorized applications. + annotation: 'Key Points for Verification: + + - Are you identifying the information being stored and managed, such as the + list of tables in the database? + + - Are you clearly identifying the applications, information systems (servers), + and users that need access to information within the database, and are you + controlling access according to the access control policy?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.5 + name: Wireless Network Access + - urn: urn:intuitem:risk:req_node:k_isms_p:node579 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.5 + description: 'If wireless networks are used for business purposes, you must + establish and implement protection measures considering the following aspects + for securing wireless access points (APs) and network segments:' + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node580 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Manage a list of wireless network devices (e.g., APs). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node581 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Configure encryption for user authentication and data transmission + (e.g., WPA2-Enterprise mode, WPA3-Enterprise mode). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node582 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Implement wireless AP access terminal authentication methods (e.g., + MAC authentication). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node583 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Enable SSID hiding. + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node584 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Set up Access Control Lists (ACLs) for the wireless network. + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node585 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node579 + description: Control administrator access to wireless APs (e.g., IP restrictions). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node586 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.5 + description: 'You must establish and implement procedures for access requests + and termination to ensure that only authorized employees can use the wireless + network:' + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node587 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node586 + description: Set up procedures for requesting and approving wireless network + access (e.g., user and device registration). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node588 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node586 + description: Establish procedures for revoking access when the wireless network + is no longer needed (e.g., due to retirement or expiration of access). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node589 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node586 + description: Separate wireless networks provided to external parties from those + used by employees. + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node590 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.5 + description: 'You must establish and implement protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs:' + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node591 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node590 + description: Install and operate a Wireless Intrusion Prevention System (WIPS), + and periodically check for unauthorized APs (Rogue APs). + annotation: 'Key Points for Verification: + + - If wireless networks are used for business purposes, have you established + and implemented protection measures such as authentication and data encryption + for wireless access points (APs) and network segments? + + - Have you established and implemented procedures for the application and + termination of wireless network access so that only authorized employees can + use it? + + - Have you established and implemented protection measures against unauthorized + wireless networks, such as detecting and blocking ad hoc connections and unauthorized + wireless APs within the organization?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.6 + name: Remote Access Control + - urn: urn:intuitem:risk:req_node:k_isms_p:node593 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + description: 'The remote operation of critical information (personal information), + information systems, and major assets related to personal information processing + systems (servers, network equipment, security devices, etc.) through external + networks such as the internet is generally prohibited. If it is unavoidably + allowed, the following measures must be established and implemented:' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node594 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Approval from the responsible person for remote operation and access. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node595 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Use of secure authentication methods (certificates, OTPs, etc.). + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node596 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Use of secure access methods (VPNs, etc.). + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node597 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Temporary access rights provisioning and management of access rights + status. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node598 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Security of access devices through antivirus installation, security + patches, etc. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node599 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Monitoring of remote operation status (e.g., periodic review of + VPN account issuance and usage). + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node600 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Logging and periodic analysis of remote access records. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node601 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node593 + description: Security awareness training related to remote operation. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node602 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + description: When operating information systems remotely through an internal + network, access must be restricted to specific devices only. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node603 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node602 + description: Limit accessible devices by IP address, MAC address, etc. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node604 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node602 + description: Block access paths that bypass normal remote access routes. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node605 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + description: 'For remote work scenarios such as telecommuting, remote collaboration, + and smart work, protective measures must be established and implemented to + prevent the leakage of critical information, hacking, and other security incidents:' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node606 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Define smart work scenarios: telecommuting, smart work centers, + remote collaboration, mobile office environments.' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node607 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Set permissions based on smart work scenarios: define the scope + of remote access to internal systems and services.' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node608 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Approval process for smart work: application, approval, and revocation + of remote access rights for smart work.' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node609 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Technical protection measures for remote access: encryption of + transmission channels (VPNs, etc.), enhanced user authentication (OTPs, etc.).' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node610 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: 'Security of access devices (PCs, mobile devices, etc.): installation + of antivirus software, application of security patches, device authentication, + measures for lost or stolen devices (reporting procedures, device locking, + deletion of critical information, etc.), prohibition of storing critical information + (encryption if necessary), etc.' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node611 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node605 + description: Establish and educate on information protection guidelines for + the smart work environment. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node612 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.6 + description: 'For devices (management devices or critical devices) accessing + the personal information processing system remotely for management, operation, + development, and security purposes, the following protective measures must + be applied:' + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node613 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Designate and manage a list of management devices. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node614 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Prevent unauthorized individuals from accessing and tampering with + management devices. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node615 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Restrict access to only the registered management devices. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node616 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Ensure devices are not used for purposes other than their intended + use. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node617 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node612 + description: Apply protective measures to management devices to prevent malware + infections, etc. + annotation: 'Key Points for Verification: + + - Remote operation of information systems through external networks such as + the internet is generally prohibited. If it is unavoidably allowed for reasons + such as dealing with system failures, are appropriate protective measures + in place? + + - When operating information systems remotely via internal networks, is access + restricted to specific devices only? + + - For remote work scenarios such as telecommuting, remote collaboration, and + smart work, have you established and implemented protective measures to prevent + information leaks, hacking, and other security incidents? + + - For remote access to personal information processing systems for management, + operation, development, or security purposes, are the devices designated as + management devices and are safety measures such as prohibiting unauthorized + modifications and use for unintended purposes applied?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6 + ref_id: 2.6.7 + name: Internet Access Control + - urn: urn:intuitem:risk:req_node:k_isms_p:node619 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + description: To appropriately reduce risks such as information leakage, malware + infection, and internal network breaches via the internet, control policies + for internet access on work PCs, including those used for major job functions + and handling personal information, must be established and implemented. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node620 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Network Configuration Policy for Internet Connections + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node621 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: User Access Policy for External Email Use, Internet Site Access, + Software Downloads, and Transfers + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node622 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Blocking Policy for Harmful Sites (such as adult content and entertainment) + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node623 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Blocking Policy for Sites with Potential for Information Leakage + (such as web storage, P2P networks, remote access) + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node624 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Policies Related to Network Segregation or Internet Blocking Measures + (whether network segregation is applied, target individuals for segregation, + method of segregation, procedures for data transmission between networks, + etc.) + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node625 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node619 + description: Monitoring Policy for Internet Access History + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node626 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + description: Unnecessary external internet access from major information systems + (such as database servers) must be controlled. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node627 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node626 + description: Limit external internet access from internal servers (DB servers, + file servers, etc.) to prevent malware influx, information leakage, and reverse + access. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node628 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node626 + description: If external access is unavoidable, conduct a risk analysis to establish + protective measures and obtain approval from the responsible person before + allowing access. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node629 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + description: If internet network blocking is mandated by relevant laws, identify + the subjects of internet network blocking and apply the blocking measures + in a secure manner. + annotation: 'Under the Personal Information Protection Act: + + - (Obligatory Targets for Personal Information Processors): Personal information + processors with an average of more than 1 million users per day in the last + three months of the previous year. + + - (Obligatory Targets for Computers, etc.): Computers and other devices used + by personal information handlers that can download, destroy, or set access + permissions for personal information. + + - (Measures When Using External Cloud Services) When using cloud computing + services as defined in Article 2, Item 3 of the "Act on the Promotion of Cloud + Computing and Protection of Users" to configure and operate personal information + processing systems, internet access must be restricted to only the necessary + cloud service, and all other internet access must be blocked.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node630 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.6.7 + description: 'Apply internet blocking measures in a secure manner considering + the following:' + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node631 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Review whether internet blocking measures are mandatory and, if + so, identify the subjects of the internet blocking measures. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node632 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: If not subject to mandatory internet blocking, determine whether + to apply internet blocking measures based on risk analysis results. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node633 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Apply internet blocking measures using physical methods (e.g., + configuring two PCs with separate networks) or logical methods (e.g., using + virtualization technologies like VDI). + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node634 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Identify and control any bypass routes around internet blocking + measures. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node635 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Establish control measures for secure data transmission for computers + subject to internet blocking measures. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node636 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node630 + description: Conduct regular inspections of the adequacy and vulnerabilities + of the internet blocking environment. + annotation: 'Key Points for Verification: + + - Are control policies for internet access of key operational and personal + information handling devices (work PCs) established and enforced? + + - Are unnecessary external internet connections from major information systems + (such as DB servers) controlled? + + - If required by relevant laws to block internet access, are the affected + parties identified and are internet access blocking measures applied in a + secure manner?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.7 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.7' + name: Encryption Application + - urn: urn:intuitem:risk:req_node:k_isms_p:2.7.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7 + ref_id: 2.7.1 + name: Encryption Policy Application + - urn: urn:intuitem:risk:req_node:k_isms_p:node639 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7.1 + description: To protect personal and critical information, you must establish + an encryption policy that includes legal requirements such as encryption targets, + encryption strength, and encryption usage. + annotation: 'Key Points for Verification: + + - To protect personal and critical information, have you established an encryption + policy that includes legal requirements such as encryption targets, encryption + strength, and usage? + + - In accordance with the encryption policy, are you performing encryption + when storing, transmitting, or transferring personal and critical information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node640 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node639 + description: 'Encryption Targets: Defined based on legal requirements, sensitivity + of the information being processed, and its importance.' + annotation: You will find a table on page 121 + - urn: urn:intuitem:risk:req_node:k_isms_p:node641 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node639 + description: 'Encryption Algorithm: Select secure encryption algorithms and + security strength based on legal requirements and other considerations.' + annotation: You will find a table on page 122 + - urn: urn:intuitem:risk:req_node:k_isms_p:node642 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7.1 + description: 'Encryption Policy Compliance: Encrypt personal and sensitive information + during storage, transmission, and transfer according to the encryption policy.' + annotation: 'Key Points for Verification: + + - To protect personal and critical information, have you established an encryption + policy that includes legal requirements such as encryption targets, encryption + strength, and usage? + + - In accordance with the encryption policy, are you performing encryption + when storing, transmitting, or transferring personal and critical information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node643 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node642 + description: 'Encryption Method: Select and apply encryption methods considering + the encryption location and system characteristics.' + annotation: You will find a table on page 123 + - urn: urn:intuitem:risk:req_node:k_isms_p:2.7.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7 + ref_id: 2.7.2 + name: Encryption Key Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node645 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7.2 + description: 'You must establish policies and procedures that include the following + details for the generation, use, storage, distribution, and disposal of encryption + keys:' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node646 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Encryption Key Management Personnel: Designation of individuals + responsible for encryption key management.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node647 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Key Generation and Storage Methods: Methods for generating and + storing encryption keys (including secure backup).' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node648 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Key Distribution and Recipients: Identification of those who receive + encryption keys and the methods of distribution (including decryption authority).' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node649 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Key Validity and Rotation: Duration of key validity (rotation + frequency), considering costs, business importance, and other factors when + changing keys.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node650 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Key Recovery and Disposal Procedures: Procedures and methods for + recovering and disposing of encryption keys.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node651 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node645 + description: 'Prohibition of Hardcoding Keys: Policies related to preventing + the hardcoding of encryption keys in source code.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node652 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.7.2 + description: 'Secure Storage and Access Control for Encryption Keys: Encryption + keys should be stored in a separate secure location to ensure they can be + recovered if needed, and access to them should be minimized:' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node653 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node652 + description: 'Secure Storage: In case of damage, encryption keys should be stored + on a separate medium and kept in a secure location (e.g., encryption key management + systems, physically separated areas).' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node654 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node652 + description: 'Access Control: Minimize access to encryption keys and implement + monitoring of access.' + annotation: 'Key Points for Verification: + + - Have you established and implemented procedures for the generation, use, + storage, distribution, change, recovery, and disposal of encryption keys? + + - Are encryption keys stored in a separate secure location to ensure recoverability + if needed, and is access to encryption key usage minimized?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.8' + name: Information System Introduction and Development Security + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.1 + name: Definition of Security Requirements + - urn: urn:intuitem:risk:req_node:k_isms_p:node657 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.1 + description: When introducing, developing, or changing an information system, + you must establish and implement procedures to review and accept the system + from the perspective of information security and privacy protection. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node658 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node657 + description: 'Develop an introduction plan that includes feasibility analysis + for new information systems (servers, network equipment, commercial software + packages) and security systems:' + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node659 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node658 + description: Analysis of current system resource utilization, usage, and capacity + limits + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node660 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node658 + description: Requirements for performance, stability, security, reliability, + compatibility with existing systems, and interoperability + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node661 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node658 + description: Compliance with legal requirements such as the Personal Information + Protection Act (including the standards for ensuring the safety of personal + information) if the system involves personal data processing + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node662 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node657 + description: Incorporate information security and privacy protection requirements + into the Request for Proposal (RFP) and use them as criteria when selecting + vendors or products + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node663 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node657 + description: 'Establish criteria for determining system acceptance:' + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node664 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node663 + description: Develop acceptance criteria reflecting performance, security, and + legal requirements defined in the introduction plan + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node665 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node663 + description: Ensure compliance with acceptance criteria during the system introduction + process by reflecting them in purchase contracts + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node666 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.1 + description: When introducing, developing, or changing an information system, + you must clearly define security requirements, including legal obligations + and the latest vulnerabilities, and incorporate them from the design stage. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node667 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node666 + description: 'Legal requirements related to personal data protection: access + control, encryption, access logs, etc.' + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node668 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node666 + description: Information security and privacy protection requirements based + on higher authority and internal regulations + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node669 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node666 + description: 'Technical security requirements: authentication, development security, + etc.' + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node670 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node666 + description: Latest security vulnerabilities + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node671 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.1 + description: You must establish and apply coding standards for the secure implementation + of information systems. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node672 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node671 + description: Develop secure coding standards and guidelines to minimize threats + from known technical security vulnerabilities + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node673 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node671 + description: Include all relevant development languages and environments such + as Java, PHP, ASP, web, and mobile. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node674 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node671 + description: Conduct training for developers on secure coding standards and + guidelines. + annotation: 'Key Points for Verification: + + - hen introducing, developing, or changing an information system, you must + establish and implement procedures for reviewing and accepting the system + from the perspective of information security and privacy protection. + + - When introducing, developing, or changing an information system, you must + clearly define security requirements, including legal obligations and the + latest vulnerabilities, and integrate these requirements from the design stage. + + - You must establish and apply coding standards to ensure the safe implementation + of the information system.' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.2 + name: Review and Testing of Security Requirements + - urn: urn:intuitem:risk:req_node:k_isms_p:node676 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + description: When introducing, developing, or changing information systems, + establish review criteria and procedures to verify that the security requirements + defined during the analysis and design phases are effectively applied, and + conduct tests accordingly. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node677 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node676 + description: Perform tests to ensure that the system meets pre-defined security + requirements before acceptance. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node678 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node677 + description: Establish acceptance criteria and procedures to verify that the + information system meets pre-defined security requirements for development, + changes, and deployment. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node679 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node677 + description: Confirm compliance with the pre-defined acceptance criteria through + tests before deciding on acceptance. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node680 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node677 + description: Check system security settings, removal of unnecessary default + accounts, and application of the latest security patches. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node681 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node676 + description: Conduct tests to ensure that developed and changed functionalities + meet the pre-defined security requirements. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node682 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node681 + description: Reflect results in test plans, checklists, and test reports. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node683 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + description: Perform vulnerability assessments to ensure that the information + system is developed securely according to coding standards. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node684 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node683 + description: After coding is complete, check compliance with secure coding standards + and perform vulnerability assessments to identify technical security weaknesses. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node685 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node684 + description: Verify source code for compliance with secure coding standards + (e.g., using source code verification tools). + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node686 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node684 + description: Test completed programs for vulnerabilities using vulnerability + assessment tools or simulated testing in an environment identical to the operational + environment. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node687 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + description: In the process of testing and vulnerability assessment, establish + and implement procedures to quickly address identified issues, including developing + improvement plans and verifying implementation. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node688 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node687 + description: Develop an improvement plan for issues identified, ensure internal + reporting, and establish procedures to verify the implementation of fixes + before system launch. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node689 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node687 + description: If it is unavoidable to resolve issues before the system launch, + assess the impact, develop mitigating measures, and prepare internal reports + to minimize risks. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node690 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.2 + description: Public institutions must perform privacy impact assessments through + designated evaluation bodies during the analysis and design phases for new + or changed personal information processing systems, and incorporate the results + into development and modifications according to relevant laws. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node691 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node690 + description: When planning for new development or changes of personal information + processing systems, public institutions must review whether they are required + to conduct privacy impact assessments. If so, they should establish a plan + for the assessment and secure the necessary budget. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node692 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node690 + description: Public institutions must conduct a privacy impact assessment through + an evaluation agency designated by the Personal Information Protection Commission + during the analysis and design stages of new or changed personal information + processing systems, and incorporate the results into development and modifications. + annotation: "The list of designated evaluation agencies can be checked on the\ + \ 'Personal Information Portal' (www.privacy.go.kr). \nFor procedures and\ + \ criteria for conducting impact assessments, refer to the 'Personal Information\ + \ Impact Assessment Guide'." + - urn: urn:intuitem:risk:req_node:k_isms_p:node693 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node690 + description: Public institutions must submit the privacy impact assessment report + to the Personal Information Protection Commission before the system goes live + and within 2 months after the assessment is completed. + annotation: 'Register the assessment report on the Personal Information Protection + Comprehensive Support System (intra.privacy.go.kr). + + The Personal Information Protection Commission or the head of the public institution + may publish a summary of the assessment report.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node694 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node690 + description: Manage the implementation of improvement requirements resulting + from the privacy impact assessment. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node695 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node694 + description: Develop a detailed implementation plan for the improvement requirements. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node696 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node694 + description: Regularly check the implementation status. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node697 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node694 + description: If it is unavoidable to take action within the specified period, + record and report the valid reasons, and establish a plan for future actions. + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node698 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node694 + description: The head of the public institution that received the impact assessment + report must submit a report on the implementation status of the identified + improvements to the Personal Information Protection Commission within one + year (Improvement Plan Implementation Verification Report). + annotation: 'Key Points for Verification: + + - When introducing, developing, or changing information systems, are tests + conducted to verify that the security requirements defined during the analysis + and design phases are effectively applied? + + - Is vulnerability assessment performed to ensure that the information system + is developed securely according to coding standards? + + - Are procedures such as improvement planning and implementation checks followed + to promptly address issues found during testing and vulnerability assessment? + + - For public institutions, do they conduct impact assessments through evaluation + agencies during the analysis and design phases when developing or changing + personal data processing systems, and incorporate the results into development + and changes as required by relevant laws?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.3 + name: Separation of Testing and Operational Environments + - urn: urn:intuitem:risk:req_node:k_isms_p:node700 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.3 + description: The development and testing systems of the information system must + be separated from the operational system. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node701 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node700 + description: The development and testing systems should be configured separately + from the operational system as a general rule. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node702 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node700 + description: Establish and implement access control measures to prevent developers + from unnecessarily accessing the operational system from the development and + testing systems. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node703 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.3 + description: If separation of development and production environments is unavoidable, + security measures such as mutual review, higher authority monitoring, change + approval, and responsibility tracking should be established. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node704 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node703 + description: If it is unavoidable due to reasons like very small organizational + size, lack of human resources, or system characteristics, apply appropriate + compensatory controls to reduce security risks. + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node705 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node704 + description: 'Mutual Review: Implement mutual review among personnel.' + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node706 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node704 + description: 'Change Approval: Ensure all changes are approved.' + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node707 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node704 + description: 'Higher Authority Monitoring and Auditing: Monitor and audit by + higher authorities.' + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node708 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node704 + description: 'Backup and Recovery: Establish backup and recovery solutions, + and ensure responsibility tracking.' + annotation: 'Key Points for Verification: + + - Are the development and testing systems for information systems separated + from the production systems? + + - If separation of development and production environments is unavoidable, + have security measures been established, such as mutual review, monitoring + by higher authorities, change approval, and responsibility tracking?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.4 + name: Security of Test Data + - urn: urn:intuitem:risk:req_node:k_isms_p:node710 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.4 + description: The use of actual operational data during the development and testing + of information systems must be restricted. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node711 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node710 + description: To prevent the leakage of personal and sensitive information during + system testing, test data should be created randomly or processed/converted + from operational data before use. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node712 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node710 + description: Establish and implement standards and procedures for data transformation + and usage. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node713 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.4 + description: If it is unavoidable to use operational data in the test environment, + procedures for control must be established and implemented, including responsible + approval, access and leakage monitoring, and data deletion after testing. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node714 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node713 + description: 'Establish an approval procedure for using operational data: define + reporting and approval systems based on data sensitivity.' + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node715 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node713 + description: Develop and implement procedures for data disposal after the testing + period expires. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node716 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node713 + description: Apply access control measures for operational data in the test + environment. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node717 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node713 + description: Conduct monitoring and regular reviews of operational data replication + and usage. + annotation: 'Key Points for Verification: + + - Are the use of actual operational data restricted during the development + and testing processes of information systems? + + If it is unavoidable to use operational data in the test environment, are + procedures in place for obtaining responsible approval, monitoring access + and data leakage, and deleting data after testing?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.5 + name: Source Program Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node719 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.5 + description: Procedures must be established and implemented to control unauthorized + access to source code. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node720 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node719 + description: Develop procedures for access to and use of source code. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node721 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node719 + description: Grant access rights only to authorized developers and personnel, + and block unauthorized access. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node722 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node719 + description: Implement access controls for servers where source code is stored + (e.g., version control servers). + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node723 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.5 + description: Source code must be securely stored in a location other than the + operational environment to prepare for emergencies. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node724 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node723 + description: Backup both the latest and previous versions of the source code. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node725 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node723 + description: Store and manage the source code in a separate environment from + the operational environment. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node726 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node723 + description: Control access to source code backups to prevent unauthorized access. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node727 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.5 + description: Change history of the source code must be managed. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node728 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node727 + description: Establish procedures for source code changes, including approval + and change procedures, and version control methods. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node729 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node727 + description: 'Manage source code change history: record the date of changes, + reasons for changes, and personnel involved.' + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node730 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node727 + description: Perform change control for system-related documents (e.g., design + documents) associated with source code changes. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node731 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node727 + description: Regularly review source code change history and change control + activities. + annotation: 'Key Points for Verification: + + - Are procedures established and implemented to control unauthorized access + to source code? + + - Is source code securely stored in a location other than the operational + environment to prepare for emergencies, such as system failures? + + - Is the change history of the source code managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.8.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8 + ref_id: 2.8.6 + name: Migration to Operational Environment + - urn: urn:intuitem:risk:req_node:k_isms_p:node733 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.6 + description: Procedures must be established and implemented to safely transition + newly introduced, developed, and modified systems into the operational environment. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node734 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Designate a transition manager other than the developer. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node735 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Confirm completion of testing. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node736 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Define a transition strategy (e.g., phased transition, full transition). + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node737 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Prepare response measures for issues that may arise during transition + (e.g., rollback plans, storage plans for previous versions of the system). + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node738 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Obtain approval from the responsible person for the transition. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node739 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node733 + description: Maintain records and perform reviews of the transition. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node740 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node739 + description: If applying DevOps in a cloud environment, ensure secure deployment + to the operational environment following controlled procedures within the + CI/CD pipeline, applying DevSecOps controls. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node741 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.6 + description: Prepare response measures for potential issues that may arise during + the transition to the operational environment. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node742 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node741 + description: Develop rollback plans if the transition to the operational environment + does not proceed smoothly. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node743 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node741 + description: Establish storage plans for previous versions of the system (e.g., + software, add-ons, configuration files, parameters). + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node744 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.8.6 + description: Only install files necessary for service execution in the operational + environment. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node745 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node744 + description: Ensure that the operational environment does not contain unauthorized + development tools (e.g., editors), source programs, backup copies, or any + unnecessary files related to service execution. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented to safely transition newly + introduced, developed, and modified systems into the operational environment? + + - Are only the files necessary for service execution installed in the operational + environment? + + - Have measures been prepared to address potential issues that may arise during + the transition to the operational environment?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.9' + name: System and Service Operation Management + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.1 + name: Change Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node748 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.1 + description: Procedures for changes related to information system assets (such + as hardware, operating systems, commercial software packages, etc.) must be + established and implemented. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node749 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node748 + description: When changes are needed for information system assets, such as + operating system upgrades, commercial software installations, enhancements + to running application functionalities, network configuration changes, or + expansion of CPU, memory, and storage, formal procedures for making these + changes should be established and followed. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node750 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.1 + description: Before making changes to information system assets, the impacts + on performance and security must be analyzed + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node751 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node750 + description: When changes are required for information system assets, analyze + the impacts on security, performance, and operations, such as the need for + changes to security system policies (e.g., firewall policies), potential issues, + and the extent of their impact + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node752 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node750 + description: Implement changes in a way that minimizes the impact. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node753 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node750 + description: Consider recovery plans in advance in case of change failures. + annotation: 'Key Points for Verification: + + - Have procedures been established and implemented for changes related to + information system assets (such as hardware, operating systems, commercial + software packages, etc.)? + + - Before performing changes to information system assets, do you analyze the + impact on performance and security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.2 + name: Performance and Fault Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node755 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: 'To ensure the availability of information systems, procedures + must be established and implemented for continuously monitoring performance + and capacity, including the following aspects:' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node756 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: 'Identification Criteria for Performance and Capacity Management + Targets: Identify key information systems and security systems that could + impact service and business operations and include them in the monitoring + targets.' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node757 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: 'Definition of Performance and Capacity Requirements (Thresholds) + for Each Information System: Determine thresholds for CPU, memory, storage, + etc., that could affect system availability.' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node758 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: 'Monitoring Methods: Establish methods to continuously monitor + for threshold breaches and respond accordingly (e.g., alarms).' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node759 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: Recording, Analyzing, and Reporting Monitoring Results. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node760 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node755 + description: Designation of Performance and Capacity Management Personnel and + Responsibilities. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node761 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: 'Procedures must be established and implemented for responding + when information system performance and capacity requirements (thresholds) + are exceeded:' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node762 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node761 + description: Continuously monitor the performance and capacity status of information + systems and establish and implement action plans (e.g., upgrading systems, + memory, storage) when thresholds are exceeded. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node763 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: 'Procedures must be established and implemented to immediately + detect and respond to information system failures, including the following:' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node764 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: Definition of Failure Types and Severity Levels. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node765 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: Reporting Procedures by Failure Type and Severity Level. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node766 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: 'Detection Methods for Each Failure Type: Utilize management systems + such as Network Management Systems (NMS).' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node767 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: Definition of Responsibilities and Roles for Failure Response and + Recovery. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node768 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node763 + description: Recording and Analyzing Failures. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node769 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: 'For customer-facing services: procedures for informing customers.' + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node770 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: Emergency contact system (maintenance vendors, information system + manufacturers), etc. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node771 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node770 + description: In the event of a failure, actions must be taken according to the + procedures, and the details of the failure response must be recorded and managed + through failure response reports and similar documentation. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node772 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.2 + description: For high-severity incidents, a root cause analysis must be conducted + to establish and implement measures to prevent recurrence. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node773 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node772 + description: For severe incidents such as those causing disruption to daily + operations, excessive costs (damage), or recurring issues, the root cause + must be identified, and measures to prevent recurrence should be established + and implemented. + annotation: 'Key Points for Verification: + + - To ensure the availability of information systems, are procedures in place + for continuously monitoring performance and capacity? + + - Are there procedures established and implemented for responding when performance + and capacity requirements (thresholds) are exceeded? + + - Are procedures in place for promptly detecting and responding to information + system failures? + + - In the event of a failure, are actions taken according to established procedures, + and is a failure response report or similar documentation maintained to track + and manage the actions taken? + + - For high-severity failures, are preventive measures developed through root + cause analysis to prevent recurrence?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.3 + name: Backup and Recovery Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node775 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.3 + description: Backup and recovery procedures, including the backup targets, frequency, + methods, and processes, must be established and implemented to ensure timely + recovery of information systems in the event of damage caused by disasters, + failures, or security incidents. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node776 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Establish criteria for selecting backup targets. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node777 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Designate backup personnel and responsible parties. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node778 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Define backup frequency and retention periods for each backup target. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node779 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Determine backup methods and procedures, such as using backup systems + or manual methods. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node780 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Manage backup media, including labeling, storage locations, and + access controls. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node781 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: 'Implement backup recovery procedures: For major information systems, + conduct regular recovery tests to verify the completeness and accuracy of + backup information from a disaster recovery perspective.' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node782 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node775 + description: Maintain a backup management ledger. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node783 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.3 + description: To ensure the completeness and accuracy of backed-up information + and the adequacy of recovery procedures, regular recovery tests must be conducted. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node784 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node783 + description: 'Develop a recovery test plan: This plan should include the frequency + and timing of recovery tests, designated personnel, and methods.' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node785 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node783 + description: 'Establish recovery test scenarios: Create scenarios to simulate + various types of recovery situations to effectively evaluate the recovery + process.' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node786 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node783 + description: 'Conduct and report on recovery tests: Perform recovery tests as + planned and document the results.' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node787 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node783 + description: Establish and implement improvement plans if issues are discovered + during the recovery tests. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node788 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.3 + description: 'For backup media containing critical information, ensure that + it is physically dispersed to locations that can handle disasters and emergencies:' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node789 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node788 + description: 'Store and manage backup media in locations physically distant + from the operational information systems or backup systems. Maintain a log + of dispersal activities including:' + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node790 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node789 + description: "Dispersal dates\_(e.g., transport in and out)" + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node791 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node789 + description: Details of dispersed backup media and backup information + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node792 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node788 + description: "Regularly check\_whether the dispersal is being carried out appropriately." + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node793 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node788 + description: "Implement security measures\_at the dispersal locations, such\ + \ as:" + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node794 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node793 + description: Measures against natural disasters (e.g., fireproof safes, flame + retardant treatments) + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node795 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node793 + description: Access controls for the dispersal site and media. + annotation: 'Key Points for Verification: + + - Have you established and implemented backup and recovery procedures that + include backup targets, frequency, methods, and processes? + + - Do you regularly perform recovery tests to ensure the integrity and accuracy + of backed-up information and the adequacy of recovery procedures? + + - For backup media containing critical information, do you store the backup + media in a physically separate location to protect against disasters and emergencies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.4 + name: Log and Access Record Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node797 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.4 + description: ' Procedures for log management for information systems such as + servers, applications, security systems, and network systems must be established, + and necessary logs must be generated and retained according to these procedures.' + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node798 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node797 + description: Identify the types of logs and the target systems that need to + be preserved. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node799 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node797 + description: ' The types of logs, retention periods, and methods of log preservation + (including backups) must be defined for each system and device. ' + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node800 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node797 + description: ' Establish log management procedures and ensure logs are generated + and stored according to these procedures.' + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node801 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.4 + description: Logs from information systems must be securely stored to prevent + tampering, theft, or loss, and access to log records must be minimized + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node802 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node801 + description: Log records should be backed up using separate storage devices, + such as dedicated storage, and access rights to these records should be minimized + to prevent unauthorized individuals from tampering with, altering, or deleting + logs. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node803 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.4 + description: Access records for personal information processing systems must + be electronically recorded to include all required elements in compliance + with legal requirements and must be securely stored for a specified period. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node804 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node803 + description: Mandatory elements that must be included in access records for + personal information processing systems. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node805 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node803 + description: Retention period for access records of personal information processing + systems. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node806 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node803 + description: Access records for personal information must be securely stored + to prevent tampering, theft, or loss. + annotation: 'Key Points for Verification: + + - Have procedures for log management for information systems such as servers, + applications, security systems, and network systems been established and are + they followed to generate and retain necessary logs? + + - Are the logs of information systems securely stored to prevent tampering, + theft, and loss, and is access to these logs minimized and controlled? + + - Are access records for personal data processing systems stored securely + for a specified period, including all required elements to comply with legal + requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.5 + name: Log and Access Record Review + - urn: urn:intuitem:risk:req_node:k_isms_p:node808 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.5 + description: 'Procedures for log review and monitoring must be established and + implemented to detect anomalies such as errors, misuse (unauthorized access, + excessive queries), and fraudulent activities in information systems, including:' + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node809 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Review frequency + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node810 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Review targets + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node811 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Review criteria and methods + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node812 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Review personnel and responsibilities + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node813 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node808 + description: Procedures for responding to detected anomalies + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node814 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.5 + description: 'The results of log review and monitoring must be reported to the + responsible person, and appropriate actions must be taken according to procedures + if anomalies are detected:' + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node815 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node814 + description: Perform reviews according to log review and monitoring criteria + and report the results, including any detected anomalies, to the relevant + responsible person + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node816 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node814 + description: Establish and follow procedures for responding to detected anomalies, + including verifying incidents such as information leakage, hacking, misuse, + and fraudulent activities + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node817 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node814 + description: If unauthorized downloading of personal information is confirmed, + verify the reasons according to the internal management plan and log review + criteria. If it is confirmed that personal information was downloaded for + misuse or leakage, promptly retrieve and dispose of the personal information + downloaded by the data handler, and take necessary actions. + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node818 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.5 + description: 'Access records of personal information processing systems must + be regularly inspected in accordance with the intervals specified by relevant + laws and regulations:' + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node819 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node818 + description: 'Legal requirement for checking personal information access records: + at least once a month' + annotation: 'Key Points for Verification: + + - Have procedures for log review and monitoring been established and implemented, + including review frequency, targets, and methods, to detect anomalies such + as errors, misuse (unauthorized access, excessive queries), and fraudulent + activities related to information systems? + + - Are the results of log reviews and monitoring reported to the responsible + person, and are appropriate actions taken according to procedures when anomalies + are detected? + + - Are the access records of personal information processing systems regularly + inspected in accordance with the intervals specified by relevant laws and + regulations?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.6 + name: Time Synchronization + - urn: urn:intuitem:risk:req_node:k_isms_p:node821 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.6 + description: To ensure the accuracy of logs and access records and to enable + reliable log analysis, each information system must be synchronized with the + standard time. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node822 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node821 + description: Use methods such as NTP (Network Time Protocol) to synchronize + time across systems. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node823 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node821 + description: Ensure that all information systems requiring time accuracy (e.g., + access control systems, CCTV storage devices) are synchronized without exception. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node824 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.6 + description: Regularly check to ensure that time synchronization is functioning + correctly. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node825 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node824 + description: Check for time synchronization errors and verify that synchronization + is applied correctly after OS reinstallations or configuration changes. + annotation: 'Key Points for Verification: + + - Is the time of the information system synchronized with the standard time? + + - Are you regularly checking to ensure that time synchronization is functioning + correctly?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9 + ref_id: 2.9.7 + name: Reuse and Disposal of Information Assets + - urn: urn:intuitem:risk:req_node:k_isms_p:node827 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: Establish and implement procedures for the safe reuse and disposal + of information assets. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node828 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node827 + description: 'Reuse Procedures for Information Assets: Methods for data initialization, + reuse processes, etc.' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node829 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node827 + description: 'Disposal Procedures for Information Assets: Methods of disposal, + disposal processes (including approval), disposal confirmation, and recording + in the disposal management log.' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node830 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: When reusing or disposing of information assets and storage media, + ensure that personal data and sensitive information are processed in a way + that prevents recovery. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node831 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node830 + description: 'For personal data destruction: Ensure safe destruction methods + so that recovery or regeneration is not possible, in accordance with relevant + regulations.' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node832 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node830 + description: Irreversible methods' refer to measures taken to ensure that personal + data, once destroyed, cannot be recovered with current technology and at a + reasonable cost, according to common social standards (Article 10 of the Standard + Privacy Protection Guidelines). + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node833 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: 'When disposing of information assets and storage media on your + own, you must maintain a disposal log that includes the following information + and keep evidence of the disposal:' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node834 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node833 + description: Date of Disposal + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node835 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node833 + description: Names of Disposal Responsible Person and Verifier + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node836 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node833 + description: Disposal Method + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node837 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node833 + description: Disposal Confirmation Evidence (e.g., photographs) + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node838 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: 'When disposing of information assets and storage media through + an external company, the disposal procedures should be specified in the contract, + and it must be verified that the disposal was completed according to these + procedures:' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node839 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node838 + description: Include disposal procedures and protection measures, as well as + responsibility allocation, in the contract. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node840 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node838 + description: Verify compliance with the disposal procedures specified in the + contract through evidence such as photographs and on-site inspections. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node841 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.9.7 + description: 'In the case of maintenance or repair of information systems, PCs, + etc., measures should be established to protect information within storage + media during media replacement or recovery:' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node842 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node841 + description: Data transfer and destruction prior to maintenance request. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node843 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node841 + description: Data encryption. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node844 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node841 + description: Confidentiality agreement in the contract. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node845 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node841 + description: Complete data deletion or complete destruction of storage media, + etc. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing procedures for the safe reuse and + disposal of information assets? + + - When reusing or disposing of information assets and storage media, are you + handling personal data and sensitive information in a manner that ensures + it cannot be recovered? + + - If disposing of information assets and storage media internally, are you + keeping a disposal log and retaining proof of disposal? + + - If disposing of information assets and storage media through an external + vendor, are you specifying the disposal procedures in the contract and verifying + that the disposal has been completed properly? + + - In the maintenance and repair processes of information systems, PCs, etc., + are you taking measures to protect information on storage media in case of + replacement or recovery?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.10' + name: System and Service Security Management + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.1 + name: Security System Operation + - urn: urn:intuitem:risk:req_node:k_isms_p:node848 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: 'For the security systems operated by the organization, the following + operational procedures must be established and implemented:' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node849 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Designate responsible persons and administrators for each type + of security system. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node850 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Establish procedures for applying security system policies (such + as rule sets), including registration, modification, and deletion. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node851 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: 'Implement measures for updating policies: For security systems + like IDS and IPS, continuously update the latest patterns (signatures) and + engines to detect new attack techniques.' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node852 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Establish procedures for monitoring security system events, including + detecting and confirming anomalies that violate policies. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node853 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Set policies for controlling access to security systems, such as + user authentication and IP or MAC address restrictions for administrator terminals. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node854 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Regularly review the operational status of security systems. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node855 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node848 + description: Implement access control measures for the security systems themselves. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node856 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: You must minimize the number of authorized personnel, such as security + system administrators, and strictly control access by unauthorized individuals. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node857 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node856 + description: Apply enhanced user authentication measures (such as OTP) and access + control for administrator terminal IPs or MAC addresses to strictly control + access by unauthorized individuals. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node858 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node856 + description: Regularly analyze security system access logs to check for any + unauthorized access attempts. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node859 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: For each security system, establish and implement formal procedures + for registering, modifying, and deleting policies. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node860 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node859 + description: Establish application and approval procedures for policy registration, + modification, and deletion for security systems like firewalls and DLP. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node861 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node859 + description: Maintain records of policy application, approval, and implementation + to ensure accountability. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node862 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node859 + description: 'Considerations when applying security system policies (rule sets):' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node863 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node862 + description: Follow the principle of least privilege, granting only the minimum + necessary permissions. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node864 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node862 + description: Network access control policies should be set to block all by default, + allowing only specific IPs and ports that are necessary for work. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node865 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node862 + description: Limit the application period of security policies according to + their purpose. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node866 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node862 + description: Manage the registration and modification of security policies through + formal procedures. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node867 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: Manage exception policies for security systems according to procedures, + and ensure that exception policy users are given the minimum necessary permissions. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node868 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node867 + description: Review the validity of the reason for the exception request. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node869 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node867 + description: 'Conduct a security review: Evaluate and prepare countermeasures + for the security of exception policies' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node870 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node867 + description: 'Exception policy application and approval: Obtain approval from + responsible persons or administrators for each security system.' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node871 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node867 + description: Monitor the expiration of exception policies and the use of exceptions. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node872 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: 'Periodically review the validity of the policies set on the security + systems, considering the following:' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node873 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Internal policy or guideline violations (e.g., overly permissive + rules). + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node874 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Policies registered without formal approval procedures. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node875 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Policies not used for a long time. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node876 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Duplicate or expired policies. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node877 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Policies related to resignations or job changes. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node878 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node872 + description: Exception-related policies. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node879 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.1 + description: To prevent illegal access and leakage of personal information, + install and operate security systems that perform functions required by relevant + laws and regulations. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node880 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node879 + description: 'Mandatory Functional Requirements for Access Control Systems Required + by Personal Information Protection Laws:' + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node881 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node880 + description: 1. Restrict access to the personal information processing system + by IP address or other means to prevent unauthorized access. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node882 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node880 + description: 2. Analyze IP addresses and other access details to detect and + respond to attempts of personal information leakage. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node883 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node879 + description: If a personal information processing system is configured in a + cloud environment, access control functions can be implemented using security + features or services provided by the cloud service provider. + annotation: 'Key Points for Verification: + + - Are procedures for the operation of security systems managed by the organization + established and implemented? + + - For each security system, are formal procedures for the registration, modification, + and deletion of policies established and implemented? + + - Are exception policy registrations in the security system managed according + to procedures, and are exception policy users managed with + + minimum authority? + + - Are the validity of policies set on security systems regularly reviewed? + + - For the prevention of illegal access and personal information leakage from + personal information processing systems, are security systems that perform + functions prescribed by relevant laws installed and operated? + + - Are the number of personnel authorized to access the security systems, such + as security system administrators, minimized and is access by unauthorized + individuals strictly controlled?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.2 + name: Cloud Security + - urn: urn:intuitem:risk:req_node:k_isms_p:node885 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + description: You must clearly define the responsibilities and roles related + to information security and personal data protection with the cloud service + provider and reflect these in the contract (e.g., SLA). + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node886 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node885 + description: 'Roles and Responsibilities According to Cloud Service Type (Examples): ' + annotation: 'You will find a table on page 155. + + Note: May vary depending on the cloud service provider, service configuration, + and characteristics.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node887 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + description: When using cloud services, you must evaluate the security risks + associated with the service type and establish and implement security control + policies to prevent unauthorized access, configuration errors, and other risks. + This includes security configuration and setting standards, procedures for + changing and approving security settings, secure access methods, and authorization + frameworks. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node888 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node887 + description: 'Risk Assessment for External Cloud Services: Consider service + quality and continuity, legal compliance, and security aspects.' + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node889 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node887 + description: Establish and implement security control policies based on the + risk assessment results for cloud services. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node890 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + description: Administrative privileges for cloud service management must be + minimized according to roles, and protective measures such as enhanced authentication, + encryption, access control, and audit logging should be applied to prevent + unauthorized access and abuse of privileges. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node891 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: 'Granular Cloud Service Administrator Privileges: Chief Administrator, + Virtual Network Administrator, Security Administrator, DevOps Administrator, + etc.' + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node892 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: Minimize administrator privileges according to job roles and responsibilities. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node893 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: 'Apply enhanced authentication for cloud administrator access: + OTP, security keys, etc.' + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node894 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: Apply communication encryption or VPN for remote access. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node895 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node890 + description: Maintain detailed logs and monitoring for cloud administrator access + and privilege settings. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node896 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.2 + description: You must monitor changes to cloud service security settings and + operational status and regularly review their appropriateness. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node897 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node896 + description: Set up alarms and monitoring to detect unauthorized environment + and security setting changes in cloud services. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node898 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node896 + description: Regularly review and address the appropriateness of cloud service + security settings. + annotation: 'Key Points for Verification: + + - Have you clearly defined the responsibilities and roles related to information + security and personal data protection with the cloud service provider, and + reflected these in the contract (e.g., SLA)? + + - When using cloud services, do you assess the security risks associated with + the service type and establish and implement security control policies to + prevent unauthorized access, configuration errors, and other risks? This includes + security configuration and settings standards, procedures for changing and + approving security settings, secure access methods, and authorization frameworks. + + - Are administrative privileges for cloud service management minimized according + to roles, and are enhanced protective measures such as strengthened authentication, + encryption, access control, and audit logging applied to prevent unauthorized + access and abuse of privileges? + + - Do you monitor changes to security settings and operational status of the + cloud service and regularly review their appropriateness?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.3 + name: Public Server Security + - urn: urn:intuitem:risk:req_node:k_isms_p:node900 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + description: 'If operating public servers such as web servers, you must establish + and implement protective measures:' + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node901 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: For transmitting personal data via web servers, establish a secure + server with SSL (Secure Socket Layer) / TLS (Transport Layer Security) certificates. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node902 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Install and update antivirus software. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node903 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Apply the latest security patches to applications (e.g., web servers, + OpenSSL) and operating systems. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node904 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Remove unnecessary services and block unused ports. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node905 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Prohibit the installation of unnecessary software, scripts, and + executable files. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node906 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Prevent the exposure of unnecessary pages such as error handling + or test pages. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node907 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node900 + description: Conduct regular vulnerability assessments. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node908 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + description: 'Public servers should be installed in a DMZ (Demilitarized Zone) + that is separated from the internal network and protected by security systems + such as intrusion prevention systems:' + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node909 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node908 + description: Apply access control policies through intrusion prevention systems + to ensure that even if the public server is compromised, internal network + access through the public server is not possible. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node910 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node908 + description: Apply strict access control policies when the public server in + the DMZ needs to connect to internal network information systems such as databases + or Web Application Servers (WAS). + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node911 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + description: 'If personal data and important information need to be posted or + stored on public servers, establish and implement approval and posting procedures, + including responsibility authorization:' + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node912 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node911 + description: As a general rule, storing personal data and important information + on web servers in the DMZ is prohibited. If it is unavoidable for business + purposes, apply approval procedures and protective measures. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node913 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node911 + description: Perform pre-review and approval procedures before posting personal + data and important information on websites. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node914 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node911 + description: Take measures to prevent exposure of personal data and important + information to unauthorized persons via external search engines. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node915 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.3 + description: You must regularly check whether the organization's important information + is being exposed through websites and web servers, and take immediate action + to block the exposure if it is detected. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node916 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node915 + description: Regularly inspect using search engines and apply necessary measures. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node917 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node915 + description: If exposure of important information is detected, take blocking + measures on the website and request the search engine provider to prevent + continued exposure through caches or other means. + annotation: 'Key Points for Verification: + + - Are protective measures established and implemented for operating public + servers? + + - Are public servers installed in a DMZ (Demilitarized Zone) that is separated + from the internal network and protected through security systems such as intrusion + prevention systems? + + - If personal data and important information need to be posted or stored on + public servers, is there a procedure for approval and posting, including responsibility + for authorization? + + - Is there a regular check to ensure that important information is not exposed + through websites and web servers, and if exposure is detected, are immediate + actions taken to block it?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.4 + name: Electronic Transactions and Fintech Security + - urn: urn:intuitem:risk:req_node:k_isms_p:node919 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.4 + description: If you provide electronic transactions and fintech services, you + must establish and implement protective measures to ensure the safety and + reliability of transactions. + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node920 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: Electronic transactions' refer to transactions where all or part + of the transaction is processed using electronic documents (Electronic Documents + and Electronic Transactions Basic Act, Article 2). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node921 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: Electronic commerce' refers to commercial transactions conducted + using electronic transaction methods (Act on Consumer Protection in Electronic + Commerce, etc., Article 2). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node922 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: Fintech' is a combination of finance (Finance) and technology (Technology), + and it encompasses the changes in financial services and industry through + the convergence of finance and IT (Financial Services Commission Financial + Terminology Dictionary). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node923 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: Electronic (commerce) businesses and fintech service providers + must establish and implement protective measures to prevent security incidents + in the collection, storage management, and disposal of users' personal information, + trade secrets (such as client identification information, and prices of goods + or services which may cause business losses if disclosed), and payment information + (such as authentication, encryption, and access control). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node924 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node919 + description: For fintech services, it is necessary to identify all possible + risk factors associated with the fintech service, reflecting the service's + type and characteristics, and apply the necessary protective measures. + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node925 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.4 + description: When providing electronic transactions and fintech services, if + you are integrating with external systems such as payment systems, you must + establish and implement measures to protect the related information being + transmitted and received, and regularly check its security. + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node926 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node925 + description: 'Electronic payment operators'' are entities involved in the issuance + of electronic payment methods, provision of electronic payment services, or + assisting or mediating the implementation of such services through electronic + payment methods (Act on Consumer Protection in Electronic Commerce, etc., + Enforcement Decree, Article 8), and include the following:' + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node927 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node926 + description: Financial institutions, credit card companies, issuers of payment + methods (entities that record and store monetary value or equivalent value + in electronic media or information processing systems, and provide it upon + purchase of goods, etc.), telecommunications payment service providers, and + electronic payment processing or mediation service providers (such as payment + gateway companies). + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node928 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node925 + description: Appropriate protection measures must be established and implemented + to prevent damage between parties involved in transactions due to breaches + such as leakage, tampering, or fraud of payment-related information transmitted + between e-commerce operators and electronic payment service providers or fintech + service providers. Additionally, the safety of these measures must be regularly + checked. + annotation: 'Key Points for Verification: + + - If you provide electronic transactions and fintech services, have you established + and implemented protective measures to ensure the safety and reliability of + transactions? + + - If you connect with external systems such as payment systems to provide + electronic transactions and fintech services, have you established and implemented + measures to protect the transmitted and received related information and checked + its security?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.5 + name: Information Transmission Security + - urn: urn:intuitem:risk:req_node:k_isms_p:node930 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.5 + description: When transmitting personal and sensitive information to external + organizations, a secure transmission policy must be established. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node931 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node930 + description: 'Information Transmission Technology Standards: Encryption methods, + key exchange and management, protocol standards, and communication methods.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node932 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node930 + description: 'Information Transmission Review Procedures: Reporting and approval + processes, roles and responsibilities between relevant organizations, and + security reviews.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node933 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node930 + description: 'Information Transmission Agreement Standards: Standard security + agreements or contract templates.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node934 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node930 + description: 'Other Protection Measures Application Standards: Protection measures + reflecting legal requirements.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node935 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.5 + description: When exchanging important and personal information between organizations + for business purposes, protection measures such as establishing agreements + for secure transmission must be established and implemented. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node936 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node935 + description: For the electronic exchange of important information between organizations + or affiliates, establish agreements (security agreements, contracts, annexes, + SLAs, etc.) for secure transmission and implement them accordingly. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node937 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: 'Related Business Definitions: Transmission of personal information + for direct mail (DM) purposes to DM service providers, transfer of collection + information to debt collection agencies, provision of personal information + to third parties, transmission of credit card payment information to VAN (Value + Added Network) companies, etc.' + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node938 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: Exchange only the minimum necessary information to comply with + regulations or prevent information leakage. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node939 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: Designate responsible persons and authorities. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node940 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: Define information transmission technology standards. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node941 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node936 + description: Administrative, technical, and physical protection measures for + information transmission, storage, and disposal. + annotation: 'Key Points for Verification: + + - When transmitting personal and sensitive information to external organizations, + is a secure transmission policy established? + + - When exchanging personal and sensitive information between organizations + for business purposes, are protection measures such as establishing agreements + for secure transmission in place and implemented?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node942 + assessable: false + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node941 + description: 'DM (Direct Mail): Refers to promotional activities conducted through + mail, including the delivery of letters, postcards, notices, leaflets, catalogs, + and bills directly or through postal means.' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.6 + name: Security of Work Terminals + - urn: urn:intuitem:risk:req_node:k_isms_p:node944 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + description: Security control policies for devices used for work, such as PCs, + laptops, virtual PCs, and tablets, must be established and implemented. This + includes device authentication, approval, access range settings, and device + security configurations. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node945 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: Criteria for Allowing Work Devices + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node946 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: Scope of Work Use Through Work Devices + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node947 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: Approval Procedures and Methods for Using Work Devices + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node948 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: 'Authentication Methods for Connecting to Work Networks: Device + Authentication, MAC Authentication, etc.' + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node949 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: 'Security Configuration Policies for Work Devices: Installation + of Antivirus Software, Security Programs, etc.' + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node950 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node944 + description: Security Configuration Policies for Using Work Devices and Monitoring + Measures for Misuse or Abuse + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node951 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + description: To prevent the leakage of personal and sensitive information through + work devices, policies must be established and implemented, including prohibiting + the use of file-sharing programs, limiting sharing settings, and controlling + wireless network usage. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node952 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node951 + description: When sharing settings are unavoidable, set access rights passwords + for work devices and remove sharing settings after use. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node953 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node951 + description: If file transfers are necessary, provide only read permissions + by default and grant write permissions individually when required. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node954 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node951 + description: Prevent the leakage or exposure of personal and sensitive information + through P2P programs, commercial webmail, web storage, messaging services, + and social networking services due to intentional or careless actions. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node955 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node951 + description: Utilize wireless networks that apply security protocols like WPA2 + (Wi-Fi Protected Access 2). + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node956 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + description: To prevent the leakage or exposure of personal and sensitive information + due to the loss or theft of mobile devices used for work, security measures + such as setting passwords must be applied. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node957 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.6 + description: The appropriateness of access control measures for work devices + must be periodically checked. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node958 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node957 + description: Application and approval processes for work devices, registration + and de-registration, and device authentication history. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node959 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node957 + description: Current status of security settings on work devices. + annotation: 'Key Points for Verification: + + - Have security control policies been established and implemented for devices + used for work, such as PCs, laptops, virtual PCs, and tablets, including device + authentication, approval, access range settings, and device security configurations? + + - To prevent the leakage of personal and sensitive information through work + devices, have policies been established and implemented to restrict the use + of data-sharing programs, limit sharing settings, and control the use of wireless + networks? + + - Have security measures been applied to prevent the exposure or loss of personal + and sensitive information due to the loss or theft of work mobile devices? + + - Is the appropriateness of access control measures for work devices periodically + reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.7 + name: Management of Auxiliary Storage Media + - urn: urn:intuitem:risk:req_node:k_isms_p:node961 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: External hard drives, USB memory sticks, CDs, and other auxiliary + storage media must have established and implemented policies and procedures + for their handling (use), storage, disposal, and reuse. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node962 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: 'Management Plan for Auxiliary Storage Media Holdings: Maintenance + of an auxiliary storage media management ledger, etc.' + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node963 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: Procedures for Authorization and Registration of Auxiliary Storage + Media Use + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node964 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: Procedures for Managing the Inbound and Outbound Transfer of Auxiliary + Storage Media + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node965 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: Procedures for Disposal and Reuse of Auxiliary Storage Media + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node966 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node961 + description: 'Scope of Auxiliary Storage Media Use: Policies and procedures + for usage within protected areas such as controlled and restricted zones' + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node967 + assessable: false + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: You must periodically inspect the status of auxiliary storage media + holdings, usage, and management practices. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node968 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node967 + description: Check management practices such as evidence of approval for use, + current holdings, management ledgers, and usage history. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node969 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: The use of auxiliary storage media must be restricted in controlled + areas, critical restricted zones, and other protected areas where major information + systems are located. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node970 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node969 + description: In unavoidable cases, use must be authorized by a responsible person + and conducted following proper procedures. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node971 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node969 + description: Conduct regular reviews of the use of auxiliary storage media within + controlled and critical restricted zones. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node972 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: You must establish measures to prevent malware infections and the + leakage of sensitive information through auxiliary storage media. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node973 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node972 + description: Establish and implement protective measures such as disabling automatic + execution of auxiliary storage media and using antivirus programs before use. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node974 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.7 + description: Auxiliary storage media containing personal information or sensitive + information must be stored in a secure location with a locking device. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node975 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node974 + description: Auxiliary storage media containing personal or sensitive information + (e.g., portable hard drives, USB memory sticks, SSDs) should be kept in a + safe or another secure location equipped with a locking mechanism. + annotation: 'Key Points for Verification: + + - Have you established and implemented policies and procedures for the handling + (use), storage, disposal, and reuse of auxiliary storage media such as external + hard drives, USB memory sticks, and CDs? + + - Do you periodically check the status of auxiliary storage media holdings, + usage, and management? + + - Are you restricting the use of auxiliary storage media in controlled areas + and critical restricted zones where major information systems are located? + + - Have you established measures to prevent malware infection and information + leakage through auxiliary storage media? + + - Are auxiliary storage media containing personal or sensitive information + stored in a secure location with locking mechanisms?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.8 + name: Patch Management + - urn: urn:intuitem:risk:req_node:k_isms_p:node977 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: Establish and implement OS and software patch management policies + and procedures according to the characteristics and importance of assets such + as servers, network systems, security systems, and PCs. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node978 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Establish and implement OS and software patch management policies + and procedures according to the characteristics and importance of assets such + as servers, network systems, security systems, and PCs. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node979 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: "Patch Frequency:\_Reflect the importance and characteristics of\ + \ the assets." + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node980 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Patch Information Verification Methods + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node981 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Pre-Deployment Review Procedures + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node982 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Emergency Patch Application Procedures + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node983 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Security Review for Unapplied Patches + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node984 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Patch Managers and Responsible Personnel + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node985 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node977 + description: Patch-related vendor (manufacturer) contact information + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node986 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: Regularly manage the OS and software patch application status for + major servers, network systems, security systems, etc. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node987 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node986 + description: Manage as a list that includes version information, patch application + status, and application dates for the OS and software installed on major servers, + network systems, security systems, etc. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node988 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node986 + description: Regularly check the need for applying the latest security patches. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node989 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: If it is difficult to apply the latest patches to address vulnerabilities + due to service impact, supplementary measures must be established. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node990 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node989 + description: When applying patches to operational systems, consider the importance + and characteristics of the system, and thoroughly analyze the impact following + established procedures, as applying patches may affect system availability + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node991 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node989 + description: If immediate patch application is challenging due to the operational + environment, document the reasons, develop additional supplementary measures, + report to the responsible party, and manage the status. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node992 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: For major servers, network systems, and security systems, restrict + patching through public internet access. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node993 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node992 + description: However, if unavoidable, conduct a risk analysis beforehand, establish + protective measures, and apply them after obtaining approval from the responsible + party. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node994 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.8 + description: When using a Patch Management System (PMS), ensure sufficient protective + measures, such as access control, as the PMS server or management console + could be exploited to distribute malware to internal network servers or PCs. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node995 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node994 + description: 'Implement access control measures for the Patch Management System + itself: block access for unauthorized administrators, change default passwords, + and eliminate security vulnerabilities.' + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node996 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node994 + description: Perform file integrity checks when distributing update files. + annotation: 'Key Points for Verification: + + - Have patch management policies and procedures for operating systems (OS) + and software been established and implemented according to the characteristics + and importance of assets such as servers, network systems, security systems, + and PCs? + + - Are the OS and software patch application statuses for major servers, network + systems, and security systems being regularly managed? + + - If it is difficult to apply the latest patches due to service impact, are + supplementary measures being prepared? + + - Are patches for major servers, network systems, and security systems restricted + from being applied via public internet access? + + - If a patch management system is used, have sufficient protection measures + such as access control been established?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10 + ref_id: 2.10.9 + name: Malware Control + - urn: urn:intuitem:risk:req_node:k_isms_p:node998 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + description: 'To protect information systems and business terminals from malware + such as viruses, worms, Trojans, and ransomware, protective measures must + be established and implemented, including the following:' + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node999 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Guidelines for PC usage (e.g., prohibiting the opening of suspicious + emails and files, prohibiting the download and installation of unauthorized + programs). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1000 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Malware response guidelines for information systems and personal + information processing systems. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1001 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Scope of antivirus program installation (targeting information + assets vulnerable to malware infection). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1002 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Procedures for installing antivirus programs. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1003 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Preventive and detection activities for the latest malware through + antivirus programs and other security tools. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1004 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Policies for regular monitoring of malware infections via antivirus + programs and other tools. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1005 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Configuration of automatic updates for antivirus software or performing + updates at least once a day. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1006 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: Prohibition of unauthorized programs, such as P2P and web hard + services, on information systems and business computers. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1007 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node998 + description: User education and information provision. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + description: 'Ongoing activities must be conducted to prevent and detect the + latest malware through antivirus software and other security programs:' + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1009 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + description: Scanning email attachments for malware infections. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1010 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + description: Real-time monitoring and remediation of malware. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1011 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + description: 'Regular malware checks: setting up automated virus scan schedules.' + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1012 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1008 + description: Maintaining the latest version of the antivirus engine through + regular updates. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1013 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + description: Antivirus software and other security programs must be kept up + to date, and emergency security updates should be performed when necessary. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1014 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1013 + description: 'Compliance with antivirus update frequency: Ensure automatic updates + or perform updates at least once a day.' + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1015 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1013 + description: Perform updates in response to malware alerts or emergency update + notifications. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1016 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1013 + description: When managing antivirus programs via a central management system, + implement protective measures such as access control for the management server + and integrity verification of distribution files. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1017 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.10.9 + description: When managing antivirus programs via a central management system, + implement protective measures such as access control for the management server + and integrity verification of distribution files. + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1018 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1017 + description: Establish response procedures upon detecting malware infections + (e.g., disconnecting network cables). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1019 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1017 + description: Maintain an emergency contact list (e.g., contacts for antivirus + software vendors and relevant organizations). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1020 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1017 + description: Prepare a response report template (including the date and time + of detection, response procedures and methods, responsible personnel, and + preventive measures). + annotation: 'Key Points for Verification: + + - Have protective measures been established and implemented to protect information + systems and business terminals from malware such as viruses, worms, Trojans, + and ransomware? + + - Are continuous activities being carried out to prevent and detect the latest + malware through security programs such as antivirus software? + + - Are security programs, including antivirus software, kept up-to-date, and + are emergency security updates performed when necessary? + + - When malware infection is detected, have response procedures been established + and implemented to minimize the spread and damage caused by the malware?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.11' + name: Incident Prevention and Response + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.1 + name: ' Establishing Incident Prevention and Response Systems' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.1 + description: 'A system and procedures must be established to prevent security + breaches and personal information leakage incidents, and to respond quickly + and effectively in case of an incident. The following elements should be included:' + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1024 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Definition and scope of security breaches (e.g., personal information + leakage, hacking incidents, denial-of-service attacks). + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1025 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Types and severity of security breaches. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1026 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Procedures and methods for declaring a security breach. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1027 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Communication systems, including emergency contact lists. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1028 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Systems for detecting security breaches. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1029 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Procedures for recording and reporting security breaches. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1030 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Procedures for reporting and notifying relevant agencies, data + subjects, and users in the event of a security breach. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1031 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Preparation of security breach reports. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1032 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Response and recovery procedures based on the severity and type + of security breach. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1033 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Formation, responsibilities, and roles of the recovery team for + security breaches. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1034 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Procurement of recovery equipment and resources. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1035 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Training for security breach response and recovery, including training + scenarios. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1036 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Utilization of external experts and specialized institutions. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1037 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1023 + description: Other necessary measures for preventing and recovering from security + incidents + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.1 + description: When establishing and operating a security incident response system + through external organizations such as security monitoring services, the details + of the incident response procedures must be reflected in the contract (e.g., + SLA). + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1039 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + description: Scope of the security monitoring service. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1040 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + description: Reporting and response procedures upon detection of security threats. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1041 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + description: Reporting and response procedures in case of a security incident. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1042 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1038 + description: Responsibilities and roles related to security incidents. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1043 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.1 + description: A coordination system with external experts, specialized companies, + and professional institutions must be established for monitoring, responding + to, and handling security incidents. + annotation: 'Key Points for Verification: + + - Are you establishing and implementing systems and procedures to prevent + security incidents and data breaches and to respond quickly and effectively + when such incidents occur? + + - When establishing and operating a security incident response system through + external organizations, such as security monitoring services, are the details + of the incident response procedures reflected in the contract? + + - Have you established a coordination system with external experts, specialized + companies, and professional institutions for monitoring, responding to, and + handling security incidents?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.2 + name: Vulnerability Inspection and Remediation + - urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + description: You must establish and regularly perform procedures for vulnerability + assessment of information systems. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + description: 'Items to include in the vulnerability assessment procedure:' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1047 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: "Vulnerability Assessment Targets:\_(e.g., servers, network devices,\ + \ etc.)" + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1048 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: "Assessment Frequency:\_(considering legal requirements, importance,\ + \ etc.)" + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1049 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Designated Assessors and Responsible Persons + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1050 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Assessment Procedures and Methods + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1051 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Action Criteria Based on Importance + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1052 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Reporting Procedures for Assessment Results + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1053 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Security Review for Unaddressed Vulnerabilities + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1054 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1046 + description: Other necessary measures for preventing and recovering from security + incidents + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + description: 'Vulnerability Assessment Targets:' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1056 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Vulnerabilities in network systems configuration and settings (e.g., + routers, switches) + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1057 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Security settings vulnerabilities in server operating systems + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1058 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Vulnerabilities in security systems (e.g., firewalls) + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1059 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Application vulnerabilities + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1060 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Web service vulnerabilities + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1061 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1055 + description: Vulnerabilities in smart devices and mobile services (e.g., mobile + apps) + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1062 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + description: You should consider performing penetration testing based on the + company's size and the importance of the information held. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1063 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1045 + description: Data controllers are required to include vulnerability assessment + measures to prevent data leakage or theft in their internal management plans + and to establish and implement them (Article 4, Paragraph 1, Item 10 of the + Personal Information Safety Measures Standards). + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1064 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + description: Actions must be taken for identified vulnerabilities, and the results + must be reported to the responsible person. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1065 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1064 + description: 'Report Preparation: Include details such as the date of the assessment, + targets, methods, contents and results, findings, and corrective actions in + the report to ensure proper record-keeping.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1066 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1064 + description: 'Verification: Confirm the completion of corrective actions through + follow-up checks for each identified vulnerability.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1067 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1064 + description: 'Unresolved Vulnerabilities: Clearly identify the reasons for any + vulnerabilities that cannot be addressed, report the associated risks and + supplementary measures to the responsible person.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1068 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + description: Continuously identify and analyze the impact of the latest security + vulnerabilities on information systems and take necessary actions. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1069 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1068 + description: 'Ongoing Monitoring: In addition to regular security vulnerability + assessments, continuously identify the latest vulnerabilities.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1070 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1068 + description: 'Impact Analysis: When new security vulnerabilities are discovered, + analyze their impact on the information systems and take necessary corrective + measures.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1071 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.2 + description: Maintain records of vulnerability assessment history and establish + measures to address issues such as the recurrence of vulnerabilities identified + in the previous year. + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1072 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1071 + description: 'Record Management: Keep records of the vulnerability assessment + history.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1073 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1071 + description: 'Comparison Analysis: Compare and analyze current vulnerability + assessment results with previous assessments to check for recurrences.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1074 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1071 + description: 'Root Cause Analysis: If similar vulnerabilities reoccur, conduct + a root cause analysis and develop measures to prevent recurrence.' + annotation: 'Key Points for Verification: + + - Have you established a procedure for vulnerability assessment of information + systems and are you performing regular checks? + + - Do you take action on identified vulnerabilities and report the results + to the responsible person? + + - Are you continuously monitoring for the occurrence of new security vulnerabilities, + analyzing their impact on information systems, and taking appropriate measures? + + - Do you maintain records of vulnerability assessment history and have you + implemented protective measures to address issues such as the recurrence of + vulnerabilities identified in the previous year?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.3 + name: Analyzing and Monitoring Unusual Activity + - urn: urn:intuitem:risk:req_node:k_isms_p:node1076 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.3 + description: To detect abnormal activities such as intrusion attempts, personal + data leakage attempts, and fraudulent behavior by internal and external sources, + you must collect, analyze, and monitor network traffic, data flows, and event + logs from major information systems, applications, networks, and security + systems. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1076 + description: You should establish a system for collecting and analyzing logs + from information systems, security systems, applications, and network equipment + to determine abnormal behavior. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1078 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Targets and scope for collecting or monitoring event logs + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1079 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Methods for collection, analysis, and monitoring + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1080 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Designation of responsible personnel and accountability + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1081 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Reporting system for analysis and monitoring results + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1082 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1077 + description: Response procedures for detecting abnormal behavior + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1083 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1076 + description: For organizations with high importance of information systems, + consider 24-hour real-time monitoring. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1084 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.3 + description: You must define criteria and thresholds for determining intrusion + attempts, personal data leakage attempts, and fraudulent activities, and ensure + that judgments, investigations, and subsequent actions are carried out promptly + according to these criteria. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1085 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1084 + description: Establish criteria and thresholds for identifying abnormal behavior + and reflect them in the system as necessary. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1086 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1084 + description: Regularly review and optimize the defined criteria and thresholds. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1087 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1084 + description: When abnormal behavior is confirmed, perform emergency responses, + request explanations, and conduct cause investigations according to regulations. + annotation: 'Key Points for Verification: + + - Are you collecting, analyzing, and monitoring network traffic, data flows, + and event logs from major information systems, applications, networks, and + security systems to detect abnormal activities such as intrusion attempts, + attempts to leak personal information, and fraudulent actions? + + - Have you defined criteria and thresholds to determine the presence of intrusion + attempts, personal information leakage attempts, and fraudulent activities, + and are follow-up actions, such as judgment and investigation of abnormal + activities, being carried out in a timely manner according to these criteria?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.4 + name: Incident Response Training and Improvement + - urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.4 + description: You must establish a simulation training plan for responding to + security incidents and personal data leakage incidents, and conduct such training + at least once a year. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1090 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + description: Review the adequacy of the incident response procedures and ensure + that the simulation training plan is established and implemented to enable + prompt response in the event of an incident. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1091 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + description: Develop realistic and practical simulation training scenarios that + reflect the latest incident cases, hacking trends, and business characteristics. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1092 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + description: Form a simulation training team that includes all relevant organizational + units involved in incident response, such as information security, personal + data protection, IT, legal, HR, and public relations. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1093 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1089 + description: Conduct simulation training at least once a year to ensure that + relevant employees are familiar with the incident response procedures. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1094 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.4 + description: You must improve the incident response system for security incidents + and personal data leakage incidents based on the results of the training exercises. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1095 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1094 + description: Prepare and report an internal report on the results of the simulation + training. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1096 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1094 + description: Identify areas for improvement based on the simulation training + results and reflect these improvements in the response procedures as necessary. + annotation: 'Key Points for Verification: + + - Have you established a simulation training plan for responding to security + incidents and personal data leakage incidents, and are you conducting such + training at least once a year? + + - Are you improving the response system for security incidents and personal + data leakage incidents based on the results of the training exercises?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11 + ref_id: 2.11.5 + name: Incident Response and Recovery + - urn: urn:intuitem:risk:req_node:k_isms_p:node1098 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + description: When signs of or an actual incident of a security breach or personal + data leak are detected, a prompt response and reporting must be carried out + according to the defined incident response procedures. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1098 + description: Initial Response and Evidence Preservation for Security Incidents + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1100 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + description: Action to delete, change, or block access rights to information + systems suspected of being compromised + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1101 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + description: Security checks and vulnerability remediation for network, firewall, + and other internal and external systems + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1102 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + description: Preservation of evidence, such as external access logs, necessary + for incident investigation + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1103 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1099 + description: Verification of personal and sensitive data leaks through log analysis, + etc. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1098 + description: Preparation and Internal Reporting of Incident Reports Including + the Following + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1105 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Date and time of the incident + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1106 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Reporter and reporting time + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1107 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Details of the incident (findings, damage, etc.) + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1108 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Response process details + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1109 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1104 + description: Time taken to respond to the incident, etc. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1110 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1098 + description: If the impact of the incident on the organization is severe, report + it promptly to top management according to the reporting procedures. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1111 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + description: In the event of a personal data breach, the notification of data + subjects and reporting to relevant authorities must be carried out in accordance + with applicable laws and regulations. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1112 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1111 + description: Requirements for notifying data subjects in the case of loss, theft, + or leakage of personal data (hereinafter referred to as "leakage") + annotation: You will find a table on page 183 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1113 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1111 + description: Requirements for Reporting to Relevant Authorities in the Event + of Personal Data Leakage + annotation: You will find a table on page 184 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1114 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + description: After a Security Incident is Resolved, Analyze the Cause and Report + the Results, Sharing Them with Relevant Organizations and Personnel. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1115 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1114 + description: ' After handling and concluding a security incident, perform an + analysis of the incident''s cause and prepare a report for the responsible + person. ' + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1116 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1114 + description: Share the incident information, discovered vulnerabilities, causes, + and countermeasures with relevant organizations and personnel. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1117 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.11.5 + description: Utilize the Information Obtained from Incident Analysis to Establish + Measures to Prevent Recurrence of Similar Incidents, and Modify the Incident + Response Procedures if Necessary. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1118 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1117 + description: 'Establish measures to prevent recurrence of similar incidents + using information obtained from the incident analysis. ' + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1119 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1117 + description: Modify incident response procedures, information security policies, + and related procedures based on the analysis results, if necessary. + annotation: 'Key Points for Verification: + + - When signs of or actual incidents of security breaches or personal data + leaks are detected, is a prompt response and reporting carried out according + to the defined incident response procedures? + + - In the event of a personal data breach, are the notification of the data + subjects and the reporting to relevant authorities carried out in accordance + with applicable laws and regulations? + + - After the incident is resolved, is an analysis of the incident''s cause + conducted, with the results reported and shared with relevant organizations + and personnel? + + - Are measures established to prevent similar incidents from recurring based + on the analysis of the breach, and are changes made to the incident response + procedures as necessary?' + - urn: urn:intuitem:risk:req_node:k_isms_p:2.12 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2 + ref_id: '2.12' + name: Disaster Recovery + - urn: urn:intuitem:risk:req_node:k_isms_p:2.12.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12 + ref_id: 2.12.1 + name: Safety Measures for Disaster Preparedness + - urn: urn:intuitem:risk:req_node:k_isms_p:node1122 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.1 + description: "Identify IT disaster types that could threaten the continuity\ + \ of the organization\u2019s core services (operations), analyze the impact\ + \ scale and effects on operations for each type, and identify the core IT\ + \ services (operations) and systems." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1123 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1122 + description: "Identify IT disaster types that could threaten the continuity\ + \ of the organization\u2019s core services (operations), such as natural disasters,\ + \ hacking, communication failures, etc." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1124 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1122 + description: "Analyze the impact scale and effects on the organization\u2019\ + s core services (operations) for each type of disaster, considering the following\ + \ factors, and identify the core IT services and systems:" + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1125 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1124 + description: "Financial aspects:\_Decrease in revenue, contract penalty payments,\ + \ etc." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1126 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1124 + description: "Legal aspects:\_Damage compensation lawsuits, etc." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1127 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1124 + description: "Qualitative aspects:\_Deterioration of external image, loss of\ + \ competitiveness, etc." + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1128 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.1 + description: 'Define the Recovery Time Objectives (RTO) and Recovery Point Objectives + (RPO) based on the importance and characteristics of core IT services and + systems:' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1129 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1128 + description: 'Recovery Time Objective (RTO): Define the target recovery time + from the point of IT service or system disruption until it is restored and + operational. + + Recovery Point Objective (RPO): Define the target point in time to which data + must be recovered.' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1130 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.1 + description: 'Establish and implement disaster recovery plans to ensure the + continuity of core services and systems even during disasters and emergencies. + This includes recovery strategies, emergency recovery teams, emergency contact + systems, and recovery procedures:' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1131 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1130 + description: 'Develop Cost-Effective Recovery Strategies and Measures: Create + strategies and measures to achieve predefined service and system recovery + time and recovery point objectives in case of IT disasters.' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1130 + description: 'Build IT Disaster Recovery Systems: Ensure rapid recovery by including + the following elements:' + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1133 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Assign roles and responsibilities to relevant departments and personnel + for recovery in the event of an IT disaster. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1134 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Establish a contact system among relevant department personnel + and maintenance vendors within the organization. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1135 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Includes business impact analysis, definition of recovery time + and recovery point objectives, and identification of core IT services and + systems. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1136 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Determine the recovery sequence for information systems according + to recovery time objectives. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1137 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1132 + description: Include disaster occurrence, recovery completion, and post-recovery + management stages. + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:node1138 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1130 + description: For personal data controllers, develop and regularly review crisis + response manuals and procedures for protecting personal data processing systems + in the event of disasters such as fires, floods, or power outages (as per + the Personal Data Safety Measures Standards Article 11). + annotation: "Key Points for Verification:\n- Have you identified IT disaster\ + \ types that could threaten the continuity of the organization\u2019s core\ + \ services (operations), analyzed the impact scale and effects on operations\ + \ for each type, and identified the core IT services (operations) and systems?\n\ + - Have you defined recovery time objectives (RTO) and recovery point objectives\ + \ (RPO) based on the importance and characteristics of core IT services and\ + \ systems?\n- Have you established and implemented a disaster recovery plan\ + \ to ensure continuity of core services and systems in the event of a disaster,\ + \ including recovery strategies and measures, emergency recovery organization,\ + \ emergency contact systems, and recovery procedures?" + - urn: urn:intuitem:risk:req_node:k_isms_p:2.12.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12 + ref_id: 2.12.2 + name: Disaster Recovery Testing and Improvement + - urn: urn:intuitem:risk:req_node:k_isms_p:node1140 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.2 + description: To assess the effectiveness of the established IT disaster recovery + system, a disaster recovery test plan must be established and implemented. + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1141 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1140 + description: ' Regular tests should be conducted according to the test plan + to check if the recovery strategies and measures are effective, and if the + disaster recovery team members respond quickly according to the recovery procedures + during emergencies.' + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1142 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:2.12.2 + description: Recovery strategies and measures should be regularly reviewed and + updated to reflect changes based on test results, changes in the information + system environment, and legal requirements. + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1143 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1142 + description: Establish an official change management procedure for the IT disaster + recovery plan. + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1144 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1142 + description: Regularly review and update the recovery plan considering the results + of disaster recovery tests and changes in the information system environment. + annotation: 'Key Points for Verification: + + - Are disaster recovery test plans established and implemented to assess the + effectiveness of the established IT disaster recovery system? + + - Are recovery strategies and measures regularly reviewed and updated to reflect + test results, changes in the information system environment, and legal requirements?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3 + assessable: false + depth: 1 + ref_id: '3' + name: Requirements for Each Stage of Personal Information Processing + description: (21 items) + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.1' + name: Protection Measures During the Collection of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.1 + name: Collection and Use of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1148 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When collecting personal information, the lawful requirements as + per relevant laws, such as obtaining the data subject's consent, complying + with legal obligations, and the execution and fulfillment of contracts, must + be clearly identified and followed to ensure the lawful collection of personal + information. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1149 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1148 + description: The legal requirements for the collection of personal information + must be clearly identified for each method of collection, and the relevant + evidence should be documented and managed to demonstrate compliance. + annotation: 'For example, if personal information is collected without the data + subject''s consent due to specific legal provisions or to comply with legal + obligations, the relevant legal provisions or clauses should be documented + as evidence. ' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1150 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1148 + description: A personal information controller may collect personal information + under any of the following circumstances and may use it within the scope of + the stated purpose of collection. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1151 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: ' When obtaining consent for the collection of personal information + from the data subject, the consent must be obtained in an appropriate manner + that reflects the characteristics of the collection medium, and the information + should be collected at the point when it is needed. ' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1152 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1151 + description: Consent for the collection of personal information must be obtained + in an appropriate manner, taking into account the following factors based + on the characteristics of the collection medium. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1153 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1151 + description: Personal information should not be collected broadly in advance + during the membership registration process; it should be collected at the + point when it is actually needed. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1154 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1153 + description: Consent for the collection and use of personal information should + be obtained only for the information necessary to initiate the service, and + for any additional services, consent should be obtained at the time those + services are provided. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1155 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1153 + description: When registering on a website, personal information that is only + required for specific services within the website should be collected at the + time those specific services are used. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1156 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1153 + description: However, for repeated services, personal information can be collected + and used if consent is obtained at the initial service point by classifying + it as an optional consent item. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1157 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When obtaining consent for the collection of personal information + from the data subject, the legally required notifications must be clearly + communicated, and consent must be obtained. Important information, as specified + by law, should be clearly marked to ensure that the data subject can easily + understand it. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1158 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1157 + description: When obtaining consent for the collection and use of personal information + from the data subject, the four legally required notifications must be clearly + and specifically communicated, and consent must be obtained. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1159 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1157 + description: ' For the consent of the data subject to be legally valid, it must + meet all legal requirements, including the data subject''s ability to make + a decision based on their free will, and the specificity and clarity of the + consent content.' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1160 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1157 + description: 'According to Article 22(2) of the Personal Information Protection + Act, when obtaining consent for the processing of personal information in + writing (including electronic documents as defined in Article 2(1) of the + Electronic Documents and Transactions Act), the following important information + must be clearly displayed and easily understandable:' + annotation: 'You will find it on page 192. + + For detailed information, refer to the "Personal Information Processing Consent + Guide" provided by the Personal Information Protection Commission.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1161 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When obtaining consent for the collection, use, or provision of + personal information from children under the age of 14, it is necessary to + inform the legal guardian of the required details and obtain their consent. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1162 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1161 + description: If there is no need to process the personal information of children + under the age of 14, implement appropriate age verification procedures to + prevent the collection of such information. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1163 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1161 + description: If there is a need to process the personal information of children + under the age of 14, establish a separate consent form and legal guardian + verification procedures to obtain the required consent from the legal guardian. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1164 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: To obtain the consent of a legal guardian, only the minimum necessary + information (such as name and contact details) should be collected, and procedures + and methods must be established to verify whether the legal guardian meets + the eligibility requirements. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1165 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1164 + description: The minimum information required to obtain the legal guardian's + consent (such as the guardian's name and contact details) can be collected + directly from the child without the guardian's consent. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1166 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1165 + description: However, when collecting the guardian's name and contact details, + the child must be informed of the purpose of collecting their own identity + and contact information, as well as the reason for collecting the guardian's + name and contact details (Standard Personal Information Protection Guidelines + Article 13(1)). + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1167 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1165 + description: The personal information of the legal guardian collected from the + child should be used solely for obtaining consent. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1168 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1164 + description: To obtain the legal guardian's consent, it is necessary to verify + that the information provided by the child pertains to a legitimate legal + guardian and confirm the authenticity of the guardian. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1169 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1168 + description: Verify the legal guardian's status as a minor. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1170 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1168 + description: Confirm the age difference between the child and the guardian. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1171 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1164 + description: If the legal guardian refuses consent or if the consent of the + legal guardian cannot be confirmed, the collected data must be destroyed within + 5 days from the collection date (Standard Personal Information Protection + Guidelines Article 13(2)). + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1172 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When notifying children under the age of 14 about matters related + to personal data processing, the information must be presented in a format + and language that is easy to understand. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1173 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1172 + description: Information should be transparently conveyed in child-friendly + ways, such as using simple language, illustrations, videos, etc. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1174 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1172 + description: Consider the child's age, capabilities, and usage behavior. + annotation: For detailed information, refer to the 'Children and Youth Personal + Information Protection Guidelines' (Personal Information Protection Commission). + - urn: urn:intuitem:risk:req_node:k_isms_p:node1175 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: Records of consent obtained from the data subject and legal guardian + must be maintained to prove the legal basis for data collection and use. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1176 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1175 + description: 'Records should include: date and time of consent, consent items, + consent giver (legal guardian''s information if applicable), and method of + consent.' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1177 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1175 + description: 'Retention period: Until the personal data is destroyed, such as + when membership is canceled.' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1178 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: For personal data that can be processed without the data subject's + consent, clearly disclose the items and legal basis for processing in the + privacy policy or notify the data subject through written means. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1179 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1178 + description: 'Cases where personal data collection and use are allowed without + consent: Personal Information Protection Act Article 15(1)(2) to (7).' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1180 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1178 + description: 'Information to notify: Items of personal data processed without + consent and legal basis for processing.' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1181 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1178 + description: 'Method of notification: Separate from personal data collected + with consent, either through the privacy policy or written methods (e.g., + mail, email, fax, phone, text message, or equivalent).' + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1182 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.1 + description: When using personal data for additional purposes without consent, + establish and implement criteria considering relevance to the original purpose, + predictability, potential infringement on rights, and safety measures. If + additional use continues, disclose this in the privacy policy and check compliance + with the criteria. + annotation: 'Key Points for Verification: + + - When collecting personal information, is it being collected in accordance + with the lawful requirements such as obtaining the consent of the data subject, + compliance with legal obligations, or the execution and fulfillment of a contract? + + - When obtaining consent from the data subject for the collection of personal + information, are the methods and timing of obtaining consent appropriate? + + - When obtaining consent from the data subject for the collection of personal + information, is the relevant information clearly disclosed, and is important + information as specified by law highlighted in an easily understandable manner? + + - In cases where consent is obtained for the collection, use, and provision + of personal information of children under the age of 14, is the legal guardian + properly informed of the necessary details and is consent obtained from them? + + - Is only the minimum necessary personal information collected to obtain consent + from the legal guardian, and are procedures and methods in place to verify + that the legal guardian meets the qualification requirements? + + - Are records of consent obtained from the data subject and legal guardian + being properly maintained? + + - When notifying children under the age of 14 about matters related to the + processing of personal information, is it done using a format and language + that is easy for them to understand? + + - For personal information that can be processed without the consent of the + data subject, are the items and legal grounds for processing distinguished + from those that require consent, and is this information disclosed in the + privacy policy or otherwise communicated to the data subject? + + - When using personal information for purposes beyond the original intent + without the consent of the data subject, are criteria established and implemented + to assess factors such as the relevance to the original purpose, predictability, + potential harm to the data subject, and security measures? If additional use + occurs continuously, are these criteria disclosed in the privacy policy and + regularly reviewed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.2 + name: Limitation on the Collection of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1184 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.2 + description: When collecting personal data, you must collect only the minimum + amount of information necessary for the stated purpose, whether based on legal + grounds, compliance with legal obligations, or contract performance + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1185 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1184 + description: "Even if collecting personal data without the data subject\u2019\ + s consent, based on legal grounds or compliance with legal obligations, you\ + \ must still collect only the minimum required data for the intended purpose." + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1186 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1184 + description: The responsibility to prove the necessity of collecting minimal + personal data lies with the data processor, so you must be able to demonstrate + that the information collected is essential for providing the service (with + "minimal personal data" referring to information necessary for the core functionality + of the service). + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1187 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.2 + description: When collecting personal data with the data subject's consent, + you must clearly inform them that they can refuse to provide information beyond + what is necessary. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1188 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1187 + description: Distinguish and clearly indicate which information is essential + and which is not, so that the data subject can easily identify it. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1189 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1187 + description: Inform the data subject that they can freely refuse to provide + non-essential information without affecting their ability to use goods or + services. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1190 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.2 + description: Ensure that refusal to provide non-essential personal data does + not result in denial of services or goods. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1191 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1190 + description: Clearly state that opting out of optional information does not + affect the ability to use the essential services. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1192 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1190 + description: Implement systems so that essential services, like membership registration, + remain accessible even if optional data is not provided. + annotation: 'Key Points for Verification: + + - When collecting personal data, are you collecting only the minimum amount + of information necessary for the stated purpose? + + - When obtaining consent from the data subject to collect personal data, are + you specifically informing them that they can refuse to consent to the collection + of information beyond the minimum required? + + - Are you ensuring that refusal to consent to the collection of personal data + beyond what is necessary does not result in the denial of service or goods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.3 + name: Limitation on the Processing of Resident Registration Numbers + - urn: urn:intuitem:risk:req_node:k_isms_p:node1194 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.3 + description: Resident registration numbers cannot be collected or processed + except in cases where there are legal grounds as outlined below. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1195 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1194 + description: Cases where the collection and processing of resident registration + numbers are permitted (collection based on consent is not allowed). + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.3 + description: When processing resident registration numbers, you must specifically + identify and be able to prove the legal provisions that justify such processing. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1197 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + description: The phrase "when laws, Presidential Decrees, rules of the National + Assembly, Supreme Court, Constitutional Court, National Election Commission, + or Board of Audit and Inspection specifically require or allow the processing + of resident registration numbers" means that there must be a specific provision + in at least one of these legal texts that explicitly requires or permits the + processing of resident registration numbers by a data controller. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1198 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + description: Under Article 24-2(1)(1) of the Personal Information Protection + Act, the scope of laws that allow the processing of resident registration + numbers is limited, so it is not permitted to process them based solely on + enforcement rules. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1199 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + description: According to Article 24-2(1)(2) of the Personal Information Protection + Act, processing of resident registration numbers is exceptionally permitted + if it is clearly necessary to protect the urgent life, body, or property interests + of the data subject or a third party. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1200 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1196 + description: Collection, provision to third parties, storage, or retention of + resident registration numbers is prohibited unless it falls under one of the + exceptions specified in each subparagraph of Article 24-2(1) of the Personal + Information Protection Act. + annotation: 'Key Points for Verification: + + - Is the handling of resident registration numbers limited to cases with clear + legal grounds? + + - Are the legal provisions justifying the collection of resident registration + numbers specifically identified? + + - Even when processing resident registration numbers based on legal grounds, + is there an option for individuals to register as members on the website without + using their resident registration numbers?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1201 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.3 + description: Even when processing resident registration numbers based on legal + grounds, an alternative method for membership registration must be provided, + allowing users to sign up on the website without using their resident registration + number. + annotation: 'Examples of alternative registration methods: i-PIN, mobile phone + verification, credit card, digital certificate, etc.' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.4 + name: Limitation on the Processing of Sensitive and Unique Identifying Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1203 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.4 + description: Sensitive information is, in principle, prohibited from being processed. + However, it can be processed if separate consent is obtained from the data + subject or if there is a legal basis for it. + annotation: 'Scope of Sensitive Information: + + 1. Ideologies and Beliefs: Information on various ideologies or ideological + tendencies, and religious beliefs. + + 2. Political Views: Information on one''s stance on political issues or support + for a particular political party. + + 3. Union or Party Membership: Information regarding membership or withdrawal + from labor unions or political parties. + + 4. Health and Sexual Life: Information on past or present medical history, + physical or mental disabilities (including disability grades), and sexual + preferences. + + 5. Personal Information That May Seriously Infringe Privacy: + + - Genetic information obtained from genetic testing and criminal records. + + - Information on sentencing or exemption from sentences of fines or higher, + protective custody, treatment custody, probation, the invalidation of probation, + the cancellation of suspended sentences, forfeiture, confiscation, community + service orders, detention orders, etc. + + - Information on the physical, physiological, or behavioral characteristics + of an individual, created using specific technical means for the purpose of + identifying the individual (biometric characteristic information). + + - Information on race or ethnicity.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1204 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1203 + description: 'Cases Where Sensitive Information Processing is Permissible: + + When separate consent is obtained from the data subject, distinct from the + consent for the processing of other personal information. + + When the processing of sensitive information is required or permitted by law.' + annotation: 'Key Points for Verification: + + - Is sensitive information processed only when separate consent is obtained + from the data subject or when there is a legal basis for it? + + - Is unique identification information (excluding resident registration numbers) + processed only when separate consent is obtained from the data subject or + when there is a specific legal basis for it? + + - When there is a risk of privacy invasion due to the inclusion of the data + subject''s sensitive information in information disclosed during the provision + of goods or services, is the data subject clearly informed of the possibility + of disclosure and the method to choose non-disclosure before providing the + goods or services?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1205 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.4 + description: Unique Identifying Information (excluding Resident Registration + Numbers) must only be processed if separate consent is obtained from the data + subject or if there is a specific legal basis for it. + annotation: 'Scope of Unique Identifying Information: + + 1. Resident Registration Number: (However, collection based on consent is + not permitted due to legal restrictions on its collection.) + + 2. Passport Number + + 3. Driver''s License Number + + 4. Alien Registration Number' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1206 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1205 + description: 'Cases Where the Processing of Unique Identifying Information (excluding + Resident Registration Numbers) is Permissible: + + + When separate consent is obtained from the data subject, distinct from the + consent for the processing of other personal information. + + When the processing of unique identifying information is specifically required + or permitted by law.' + annotation: 'Key Points for Verification: + + - Is sensitive information processed only when separate consent is obtained + from the data subject or when there is a legal basis for it? + + - Is unique identification information (excluding resident registration numbers) + processed only when separate consent is obtained from the data subject or + when there is a specific legal basis for it? + + - When there is a risk of privacy invasion due to the inclusion of the data + subject''s sensitive information in information disclosed during the provision + of goods or services, is the data subject clearly informed of the possibility + of disclosure and the method to choose non-disclosure before providing the + goods or services?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1207 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.4 + description: When providing goods or services, if it is determined that the + disclosure of the data subject's sensitive information could pose a risk to + privacy, the data subject must be clearly informed in an easily understandable + way about the possibility of sensitive information being disclosed and how + to opt for non-disclosure before the goods or services are provided. + annotation: 'Key Points for Verification: + + - Is sensitive information processed only when separate consent is obtained + from the data subject or when there is a legal basis for it? + + - Is unique identification information (excluding resident registration numbers) + processed only when separate consent is obtained from the data subject or + when there is a specific legal basis for it? + + - When there is a risk of privacy invasion due to the inclusion of the data + subject''s sensitive information in information disclosed during the provision + of goods or services, is the data subject clearly informed of the possibility + of disclosure and the method to choose non-disclosure before providing the + goods or services?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1208 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1207 + description: If applicable, this must also be disclosed in the privacy policy. + annotation: 'Key Points for Verification: + + - Is sensitive information processed only when separate consent is obtained + from the data subject or when there is a legal basis for it? + + - Is unique identification information (excluding resident registration numbers) + processed only when separate consent is obtained from the data subject or + when there is a specific legal basis for it? + + - When there is a risk of privacy invasion due to the inclusion of the data + subject''s sensitive information in information disclosed during the provision + of goods or services, is the data subject clearly informed of the possibility + of disclosure and the method to choose non-disclosure before providing the + goods or services?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.5 + name: ' Indirect Collection of Personal Information' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1210 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: When receiving personal information from a third party other than + the data subject, it is necessary to verify whether the information was collected + and provided through lawful procedures. Additionally, the contract must clearly + specify that the responsibility for obtaining consent for the collection of + personal information lies with the provider. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1211 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: When collecting personal information from publicly available media + or locations such as SNS or websites, the information can only be used within + the scope where the data subject's consent is clearly indicated or within + the extent where consent is reasonably assumed based on social norms (Standard + Guidelines for Personal Information Protection, Article 6, Paragraph 4). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1212 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: Even when collecting or generating personal information through + automatic collection devices (e.g., call records, access logs, payment records, + usage history) during the service provision process, only the minimum necessary + personal information required to fulfill and provide the service contract + should be collected. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1213 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1212 + description: However, if the information is collected for purposes unrelated + to service provision, it should be classified as an optional consent item, + and separate prior consent must be obtained (e.g., using behavioral information + collected through cookies for personalized advertising). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1214 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: If personal information is collected from sources other than the + data subject, and the data subject requests it, the necessary details must + be promptly communicated to the data subject. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1215 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1214 + description: 'When a data subject requests information, the following details + must be provided:' + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1216 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1215 + description: The source of the collected personal information. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1217 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1215 + description: The purpose of processing the personal information. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1218 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1215 + description: The fact that the data subject has the right to request the cessation + of processing or to withdraw consent. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1219 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1214 + description: Unless there is a legitimate reason, the information must be communicated + to the data subject within 3 days from the date of the request (Standard Guidelines + for Personal Information Protection, Article 9, Paragraph 1). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1220 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1214 + description: If the request is refused due to concerns such as potential harm + to another person's life or body, the grounds and reasons for refusal must + be communicated to the data subject within 3 days from the date of the request, + unless there is a legitimate reason (Standard Guidelines for Personal Information + Protection, Article 9, Paragraph 2). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1221 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: When processing personal information collected from sources other + than the data subject, the necessary details must be communicated to the data + subject if the type and scope of the information meet legal requirements. + annotation: You will find a table of Requirements and Methods for Notification + on page 204 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1222 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1221 + description: The obligation to notify the source of personal information applies + only to personal information collected from personal information controllers + who have provided the information with the data subject's consent under Article + 17(1)1 of the Personal Information Protection Act. This does not apply to + personal information collected from entities that provided it under the Credit + Information Act or other legal provisions (Personal Information Protection + Act regulations and guidelines). + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1223 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1221 + description: If the collected information does not include contact information + or other data that can be used to inform the data subject, there is no obligation + to notify. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1224 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.5 + description: Records of notifying the data subject about the source of the collected + information must be retained and managed until the personal information is + destroyed. + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1225 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1224 + description: 'Information to be retained and managed related to source notification + (Personal Information Protection Act Enforcement Decree Article 15-2(4)):' + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1226 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1225 + description: Facts notified to the data subject + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1227 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1225 + description: Timing of notification + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1228 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1225 + description: Method of notification + annotation: 'Key Points for Verification: + + - When receiving personal information from a third party other than the data + subject, is it clearly stated in the contract that the responsibility for + obtaining consent for the collection of personal information lies with the + provider of the information? + + - When collecting personal information from publicly available media and locations, + is the information collected and used only within the scope of the data subject''s + intended purpose, the range of disclosure, and the extent to which consent + is reasonably assumed according to social norms? + + - In cases where personal information is collected or generated through automatic + collection devices during the service provision process, and it is necessary + for fulfilling the service contract, is the principle of minimal collection + applied? + + - When collecting personal information from sources other than the data subject, + is the data subject promptly informed of the necessary details upon their + request? + + - When processing personal information collected from sources other than the + data subject, if the type or scope of the personal information meets legal + requirements, are the necessary details communicated to the data subject? + + - Is the record of informing the data subject about the source of the collected + information kept and managed until the personal information is destroyed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.6 + name: Installation and Operation of Video Information Processing Devices + - urn: urn:intuitem:risk:req_node:k_isms_p:node1230 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When installing and operating fixed surveillance cameras in public + places, you must review whether they meet the legal requirements. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1231 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1230 + description: These are devices installed in a specific location that continuously + or periodically capture images of people or objects, or transmit these images + via wired or wireless networks. This includes closed-circuit television (CCTV) + and network cameras (as defined in Article 2, Item 7 of the Personal Information + Protection Act and Article 3, Paragraph 1 of the Enforcement Decree of the + same Act). + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1230 + description: 'Fixed surveillance cameras can be installed and operated in public + places only under the following circumstances:' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1233 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When specifically permitted by law. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1234 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When necessary for the prevention and investigation of crime. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1235 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When installed and operated by authorized personnel for the safety + and management of facilities, and fire prevention. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1236 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When installed and operated by authorized personnel for traffic + enforcement. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1237 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: When installed and operated by authorized personnel for collecting, + analyzing, and providing traffic information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1238 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1232 + description: 'When the captured video information is not stored and falls under + one of the following cases:' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1239 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1238 + description: For calculating statistics such as the number of visitors. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1240 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1238 + description: To derive statistical characteristics such as gender and age group. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1241 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1238 + description: In other cases similar to the above two, subject to review and + resolution by the Personal Information Protection Commission. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1242 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1230 + description: It is prohibited to install and operate surveillance cameras in + places such as public baths, restrooms, sweat rooms, and changing rooms, where + there is a significant risk of infringing on personal privacy. However, exceptions + are made for facilities that detain or protect individuals based on legal + grounds, such as prisons and mental health facilities designated by Presidential + Decree (correctional facilities, mental health institutions with detention + facilities, mental health care facilities, and mental rehabilitation facilities). + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1243 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When public institutions wish to install and operate fixed surveillance + cameras in public places, they must follow legal procedures such as public + hearings or briefings to collect opinions from relevant experts and stakeholders. + annotation: 'Entities Required to Collect Opinions: + + - Heads of public institutions intending to install and operate fixed surveillance + cameras in public places. + + - Correctional facilities, mental health institutions, mental health care + facilities, and mental rehabilitation facilities intending to install cameras + that may significantly infringe on personal privacy. + + + Opinion Collection Procedures: + + - Conducting administrative notices or soliciting opinions according to the + Administrative Procedure Act. + + - Holding briefings, surveys, or public opinion polls for local residents + directly affected by the installation of the surveillance cameras. + + + Opinion Collectors: + + - Relevant experts. + + - Individuals working at the facility, those detained or protected at the + facility, or their guardians and other stakeholders.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1244 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When installing and operating fixed surveillance cameras, an information + board must be installed to ensure that individuals can easily recognize the + presence of the cameras. + annotation: 'Information to Include on the Board:[Details about what should + be included on the board were not provided in your request. Typically, this + information would include the purpose of the surveillance, contact information + for the responsible entity, and details about how the footage will be used + and managed.] + + 1.Purpose and Location of Installation + + 2.Range and Time of Surveillance + + 3.Contact Information of the Responsible Manager + + 4.Name and Contact Information of the Entrusted Party (if the operation and + management of the surveillance system are outsourced) + + + Exceptions for Installing Information Boards: + + 1.Military Facilities + + 2.National Key Facilities + + 3.National Security Facilities' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1245 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1244 + description: "Considerations for Installing Information Boards:\nInstall the\ + \ board in a location that is easily noticeable by the individuals concerned.\n\ + If multiple fixed surveillance cameras are installed within a building, a\ + \ single information board indicating that the entire facility or area is\ + \ under surveillance can be installed in a prominent location, such as at\ + \ the entrance.\nIn cases where a public institution installs fixed surveillance\ + \ cameras for long-distance recording, monitoring speeding or signal violations,\ + \ traffic flow studies, or monitoring forest fires\u2014where there is minimal\ + \ concern for privacy violations\u2014if it is impossible to install an information\ + \ board or if an information board would not be easily visible to individuals\ + \ due to the specific characteristics of the location, the relevant information\ + \ can be posted on the institution's website." + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1246 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When operating mobile surveillance cameras in public places for + work purposes, you must verify that they meet legal requirements and take + the necessary actions accordingly. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1247 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1246 + description: Devices worn or carried on the body, attached to, or mounted on + a mobile object, used to capture images or videos of people or objects, or + to transmit this footage via wired or wireless networks, as defined by Presidential + Decree (Article 2, Paragraph 7-2 of the Personal Information Protection Act, + and Article 3, Paragraph 2 of the Enforcement Decree). + annotation: 'Cases Where Mobile Surveillance Cameras Can Be Operated in Public + Places for Work Purposes: + + + 1. When any of the conditions in Article 15, Paragraph 1 of the Personal Information + Protection Act are met (e.g., with the consent of the data subject). + + + 2. When the fact that recording is taking place is clearly indicated, allowing + the data subject to be aware of the recording, and the data subject has not + expressed a refusal to be recorded. In such cases, it must be ensured that + the recording does not unfairly infringe on the rights of the data subject + and remains within reasonable limits. + + + 3. Other cases similar to the above, as specified by Presidential Decree.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1248 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1246 + description: ' It is prohibited to film people or objects related to them with + mobile surveillance cameras in places where the privacy of individuals is + at significant risk, such as public baths, restrooms, saunas, and changing + rooms. However, exceptions are made in situations like crimes, disasters, + fires, or similar emergencies where video recording is necessary for rescuing + or assisting lives.' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1249 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When filming people or objects related to them with mobile surveillance + cameras in public places for work purposes, the filming should be clearly + indicated using lights, sounds, signs, or other methods to ensure that the + data subject is easily aware of the filming. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1250 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1249 + description: 'Methods to Indicate Filming: Lights, sounds, signs, written notices, + announcements, or other similar means. + + ' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1251 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1249 + description: 'Exceptions to Indicating Filming: If it is difficult to notify + data subjects due to the nature of filming, such as aerial photography by + drones, the fact and purpose of filming, as well as the date, time, and location, + must be announced through a website managed by the Personal Information Protection + Commission to support the indication of mobile surveillance camera filming + (Standard Personal Information Protection Guidelines, Article 39-2, Paragraph + 2)' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: Operators of surveillance cameras must establish and implement + policies for the safe management of surveillance cameras and the video information + collected by them. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1253 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: Operators of fixed surveillance cameras should establish fixed + surveillance camera operation and management policies, while operators of + mobile surveillance cameras should establish mobile surveillance camera operation + and management policies. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: 'Information that must be included in the surveillance camera operation + and management policy:' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1255 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: The legal basis and purpose of installing the surveillance cameras. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1256 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: The number of cameras installed, their locations, and the range + of coverage. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1257 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: The person responsible for management, the department in charge, + and the individuals with access to the video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1258 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: The recording times, retention periods, storage locations, and + processing methods of the video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1259 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: Methods and locations for verifying video information by the operator. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1260 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: Measures for handling requests from data subjects for access to + their video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1261 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: Technical, administrative, and physical measures for the protection + of video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1262 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1254 + description: Other necessary matters regarding the installation, operation, + and management of surveillance cameras. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1263 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: If a privacy policy already includes matters related to the operation + and management of surveillance cameras, a separate surveillance camera operation + and management policy may not be required. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1264 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: Regulations should include provisions to prevent fixed surveillance + cameras from being manipulated or pointed at unintended locations, ensuring + management and supervision. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1265 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1252 + description: Fixed surveillance cameras should not have their audio recording + functions activated. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1266 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: A retention period must be established for the video information, + and the information must be promptly destroyed once the retention period expires. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1267 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1266 + description: The retention period should be determined to be the minimum necessary + to achieve the purpose of retaining the video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1268 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1266 + description: However, if there are specific provisions in other laws regarding + the retention period, those provisions should be followed. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1269 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1266 + description: If the operator of the surveillance cameras finds it difficult + to determine the minimum period required to achieve the purpose of retention, + the retention period should be set to within 30 days from the date of collection + of personal video information (Standard Personal Information Protection Guidelines, + Article 41, Paragraph 2). + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1270 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.6 + description: When delegating the installation and operation of video surveillance + systems to an external party, the necessary details must be included in the + contract according to the relevant procedures and requirements. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1270 + description: 'Items that must be included in the contract for public institutions + when outsourcing the installation and operation of video surveillance systems + (Article 26, Paragraph 1 of the Enforcement Decree of the Personal Information + Protection Act):' + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1272 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: The purpose and scope of the delegated tasks. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1273 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: Restrictions on further subcontracting. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1274 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: Measures to ensure security, such as restricting access to video + information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1275 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: Provisions for inspecting the management status of video information. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1276 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1271 + description: Liability, including compensation for damages, in case the subcontractor + violates the obligations they must adhere to. + annotation: 'Key Points for Verification: + + - When installing and operating fixed surveillance cameras in public places, + have you reviewed whether it meets the legal requirements for such activities? + + - When public institutions or similar entities plan to install and operate + fixed surveillance cameras in public places, have they followed the legal + procedures such as holding public hearings or informational meetings to gather + opinions from relevant experts and stakeholders? + + - When installing and operating fixed surveillance cameras, have you taken + necessary measures, such as installing signage, to ensure that data subjects + can easily recognize the presence of the cameras? + + - When operating mobile surveillance cameras in public places for business + purposes, have you reviewed whether it meets the legal requirements for such + activities? + + - When using mobile surveillance cameras to capture images of people or objects + associated with them in public places for business purposes, do you inform + and notify individuals of the filming through methods such as lights, sounds, + or signage? + + - Have you established and implemented policies for the safe management and + operation of surveillance cameras and video data? + + - Do you have a set retention period for video data, and do you promptly destroy + the data when the retention period expires? + + - When outsourcing the installation and operation of surveillance cameras, + are the relevant procedures and requirements reflected in the contract?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1 + ref_id: 3.1.7 + name: Collection and Use of Personal Information for Marketing Purposes + - urn: urn:intuitem:risk:req_node:k_isms_p:node1278 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + description: When intending to process personal information to promote or sell + goods or services to the data subject, you must inform the data subject in + a way that is clear and understandable and obtain separate consent. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1279 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1278 + description: "It is prohibited to collect personal information for \u2018promotion\ + \ and marketing\u2019 purposes while describing the purpose as \u2018providing\ + \ additional services\u2019 or \u2018providing partnership services\u2019." + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1280 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1278 + description: Personal information collected for product promotion or marketing + purposes must be clearly distinguished from information collected for other + purposes, and consent must be obtained separately. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1281 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1278 + description: The fact that the personal information will be used to contact + the data subject for the promotion or solicitation of goods or services must + be clearly indicated, and the consent form should be designed to be easily + understood (using font size, color, bolding, or underlining to make the information + stand out). + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + description: When sending commercial advertising information using electronic + transmission media, explicit prior consent from the recipient must be obtained, + and the recipient's consent status must be regularly checked every two years. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1283 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: "\u2018Electronic transmission media\u2019 includes mobile phones,\ + \ landlines, faxes, messengers, emails, and bulletin boards." + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1284 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: To send commercial advertising information, explicit consent from + the recipient must be obtained through a document (including electronic documents) + or verbal means. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1285 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: "Consent for the promotion or solicitation of goods or services\ + \ under Article 22, Paragraph 1, Subparagraph 7 of the Personal Information\ + \ Protection Act corresponds to the consent for the collection and use of\ + \ the recipient\u2019s personal information by the sender to transmit advertising\ + \ information. Meanwhile, the consent under Article 50, Paragraph 1 of the\ + \ Information and Communications Network Act pertains to the recipient agreeing\ + \ to receive advertising information from the sender. These two types of consent\ + \ must be distinguished and obtained separately." + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1286 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: Simply downloading and installing a smartphone app (application) + does not allow the transmission of advertising information (app push notifications). + Advertising should only be sent after checking whether the recipient agrees + to receive advertising information when the app is first launched and obtaining + their consent. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1287 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: However, if the exception based on a transaction relationship applies, + it is possible to send advertising information without obtaining consent to + receive it. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1288 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1282 + description: A sender who transmits advertising information after obtaining + the recipient's consent must verify the recipient's consent every two years + from the date the consent was initially obtained. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1289 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1288 + description: This obligation is to inform the recipient that they have consented + to receive the information, so there is no need to obtain consent again. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1290 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1288 + description: If the recipient does not express any intention, it is assumed + that the consent for receiving messages remains valid. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1291 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1288 + description: 'When confirming the recipient''s consent, the following details + must be provided:' + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1292 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1291 + description: The sender's name + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1293 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1291 + description: The date of consent and confirmation of consent + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1294 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1291 + description: How to express the intention to maintain or withdraw consent + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1295 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + description: If a recipient indicates refusal to receive or withdraws their + prior consent for advertising messages sent via electronic means, the sender + must stop sending such advertising information. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1296 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1295 + description: Even if there is an existing business relationship, if the recipient + expresses refusal to receive, sending advertising messages is prohibited. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1297 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1295 + description: Unsubscribing from membership is also considered as expressing + refusal to receive, so no advertising messages should be sent to those who + have unsubscribed. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1298 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1295 + description: Unless the recipient specifically limits their refusal or withdrawal + of consent to particular messages, the refusal applies to all advertising + messages from the sender. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1299 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.1.7 + description: 'When sending advertising information for commercial purposes, + the following details must be clearly stated:' + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1300 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1299 + description: The sender's name and contact information + annotation: Compliance with the "Information and Communication Network Act Enforcement + Decree Appendix 6 (Details and Methods for Commercial Advertising Information)" + is required. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1301 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1300 + description: Details and methods for easily expressing refusal or withdrawal + of consent + annotation: Compliance with the "Information and Communication Network Act Enforcement + Decree Appendix 6 (Details and Methods for Commercial Advertising Information)" + is required. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1302 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1299 + description: Advertising messages cannot be sent via electronic means during + night hours (from 9 PM to 8 AM the next day) unless there is separate consent. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1303 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1302 + description: However, sending advertising emails during the night is permissible + without additional consent. + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1304 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1302 + description: For more detailed information, refer to the "Information and Communication + Network Act Guide for Preventing Illegal Spam." + annotation: 'Key Points for Verification: + + - When obtaining consent from the data subject for the processing of personal + information for the purpose of promoting or selling goods or services, are + you informing the data subject clearly and obtaining separate consent? + + - When sending commercial advertising information using electronic transmission + media, are you obtaining the recipient''s explicit prior consent, and checking + the recipient''s consent status every two years? + + - If the recipient expresses a refusal to receive commercial advertising information + sent via electronic transmission media or withdraws their prior consent, are + you ensuring that the transmission of commercial advertising information is + discontinued? + + - When sending commercial advertising information, are you clearly indicating + the sender''s name and the method to opt out, and ensuring that such information + is not sent during nighttime hours?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.2' + name: Protection Measures During Retention and Use of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.1 + name: Management of Personal Information Status + - urn: urn:intuitem:risk:req_node:k_isms_p:node1307 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.1 + description: You must regularly manage the status of the personal data you collect + and retain, including the items of data, quantity, processing purposes and + methods, and retention periods. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1308 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1307 + description: Data controllers (information and communication service providers) + must identify and record/manage the items of personal data, quantity, processing + basis (consent, legal provisions, etc.), processing purposes and methods, + and retention periods using personal data status tables, flow charts, or diagrams. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1309 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1307 + description: Additionally, you should regularly review the personal data status + and update the relevant documents. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.1 + description: When public institutions operate or modify personal data files, + they must register the relevant information with the heads of the related + agencies as required by law, and update the registration if there are any + changes. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1311 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + description: The data protection officer who receives the personal data file + registration or modification application must review and assess the appropriateness + of the registration or modification and submit it to the Personal Information + Protection Commission within 60 days. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1312 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + description: Central administrative agencies, local government agencies, and + other public institutions must request review and appropriateness judgment + from their higher management bodies for personal data file registration or + modification, and obtain confirmation from the higher management body before + registering with the Personal Information Protection Commission within 60 + days. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1313 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + description: For the National Assembly, the judiciary, the Constitutional Court, + and the Central Election Commission (including its affiliated bodies), personal + data file registration and disclosure follow the rules of the National Assembly, + Supreme Court, Constitutional Court, and Central Election Commission. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1314 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1310 + description: However, personal data files falling under Article 32(2) of the + Personal Information Protection Act do not need to be registered with the + Personal Information Protection Commission. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1315 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.1 + description: Public institutions must disclose the status of personal data files + in their personal data processing policies. + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1316 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1315 + description: The data protection officer of a public institution must regularly + investigate the status of personal data file retention and destruction and + disclose the results in the institution's personal data processing policy. + (Standard Personal Data Protection Guidelines, Article 61) + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1317 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1315 + description: The Personal Information Protection Commission must make the status + of personal data file registrations publicly available on the internet, so + that anyone can easily access it. (Personal Information Portal, www.privacy.go.kr) + annotation: 'Key Points for Verification: + + - Are you regularly managing the current status of the personal data you collect + and retain, including the types of data, quantity, purposes and methods of + processing, and retention periods? + + - When public institutions operate or modify personal data files, do they + register the relevant information with the heads of the related agencies as + required by law? + + - Do public institutions disclose the status of their personal data files + in their privacy policies?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.2 + name: Ensuring the Quality of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.2 + description: Procedures and measures must be established and implemented to + ensure that personal data is maintained accurately and up-to-date. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1320 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + description: Apply safety measures to prevent personal data from being forged, + altered, or damaged. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1321 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + description: Build and implement systems for backup and recovery to ensure the + accuracy and completeness of personal data, even in the event of illegal changes, + damage due to external hacking, internal abuse of authority, or disasters. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1322 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + description: Apply administrative and technical measures to prevent errors in + personal data input when it is altered by data handlers. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1323 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1319 + description: Establish and implement procedures to update personal data when + data subjects change their name or resident registration number, such as due + to name changes or data breaches. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.2 + description: Methods must be provided for data subjects to ensure the accuracy, + completeness, and timeliness of their personal data. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1325 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + description: Notify data subjects regularly about the ability to update their + personal data via the website. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1326 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + description: Provide various methods for data subjects to easily view and update + their personal data, both online and offline. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1327 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + description: Develop and implement secure identity verification procedures for + personal data changes. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1328 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1324 + description: Make it easy for data subjects to understand changes and updates + to the privacy policy and the history of personal data processing by posting + relevant information clearly. + annotation: 'Key Points for Verification: + + - Have procedures and measures been established and implemented to maintain + personal data in an accurate and up-to-date condition? + + - Are there methods provided for data subjects to ensure the accuracy, completeness, + and timeliness of their personal data?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.3 + name: Protection of Access to User Devices + - urn: urn:intuitem:risk:req_node:k_isms_p:node1330 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.3 + description: If access to information stored on the data subject's (user's) + mobile communication device or to features installed on the mobile communication + device is required, you must clearly inform the data subject (user) about + this requirement and obtain their consent. + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1331 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1330 + description: The permission to access information and features stored on a smartphone + should be minimized to the extent necessary for the service. + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1332 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1330 + description: Before obtaining consent for access permissions, distinguish between + access permissions that are absolutely necessary for providing the service + (referred to as 'essential access permissions') and those that are not strictly + necessary (referred to as 'optional access permissions'). Clearly inform the + data subject (user) about the items and reasons for each type of access permission, + and obtain separate consent from them for both essential and optional access + permissions. + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1333 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1332 + description: '(For essential access permissions): 1. Inform the data subject + (user) of the items of information and features that require access permissions. + 2. Explain the reasons why access to these information and features is necessary.' + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1334 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1332 + description: '(For optional access permissions): In addition to the items 1 + and 2 above, you must also inform the data subject (user) that they have the + option to refuse to consent to the access permission.' + annotation: 'Key Points for Verification: + + - If access to information stored on the data subject''s (user''s) mobile + communication device or to features installed on the mobile communication + device is required, is it clearly communicated to the data subject (user) + and is their consent obtained? + + - If the access permission is not essential for providing the service, are + you ensuring that the service is not denied if the data subject (user) does + not consent? + + - Have you established and provided methods for obtaining and withdrawing + consent from the data subject (user) for the required access permissions on + the mobile communication device?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1335 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.3 + description: If access permissions that are not essential for providing the + service are required on a mobile communication device, the data subject (user) + should not be denied service if they choose not to consent. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1336 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.3 + description: You must establish and provide methods for the data subject (user) + to consent to or withdraw consent for access permissions on the mobile communication + device. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1337 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1336 + description: '(For operating systems with individual consent selection capability, + such as Android 6.0 or higher and iPhone): Even if the data subject (user) + has already consented to access permissions, they can use the app-specific + or permission-specific consent withdrawal features provided by the operating + system to reset permissions for each app.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1338 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1336 + description: "(For operating systems without individual consent selection capability):\ + \ Since the system does not support denial of permissions on a per-permission\ + \ basis and generally only allows setting essential permissions, if the data\ + \ subject (user) wishes to withdraw consent for these essential permissions,\ + \ they should uninstall the app. However, if the app itself provides a feature\ + \ to set optional permissions and choose whether to consent, the data subject\ + \ can use the app\u2019s consent withdrawal feature to reset the permissions." + annotation: 'Note: For more detailed information, refer to the ''Smartphone + App Access Permission Privacy Protection Guide.''' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.4 + name: Use and Provision of Personal Information Beyond the Original Purpose + - urn: urn:intuitem:risk:req_node:k_isms_p:node1340 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: Personal data must be used or provided only within the scope of + the purpose for which consent was obtained from the data subject at the time + of initial collection or based on legal grounds. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1341 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1340 + description: You must notify the data subject of the purpose of use or provision + and obtain consent within the scope allowed by the Personal Information Protection + Act or other laws. It is prohibited to use or provide personal data beyond + the scope permitted by the consent obtained or by law. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1342 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: When receiving personal data from a data processor, it must be + used or provided only within the scope of the purpose for which it was provided. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1343 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1342 + description: The recipient of personal data is prohibited from using or providing + the data for purposes other than those for which it was provided or from providing + it to third parties. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1344 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: If personal data is used or provided beyond the scope of the collection + purpose or the purpose for which it was provided by the data processor, it + should be limited to cases where separate consent from the data subject is + obtained or where there is a legal basis for such use. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1345 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1344 + description: Exceptions may apply where the use or provision of personal data + for purposes other than those initially intended is allowed (except where + there is a risk of unjustly infringing on the rights of the data subject or + third parties). + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1344 + description: 'When obtaining consent for using or providing personal data for + purposes other than those originally intended, the following information must + be provided:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1347 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The recipient of the personal data + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1348 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The purpose of using the personal data (for provision, the recipient's + purpose) + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1349 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The items of personal data to be used or provided + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1350 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The retention and use period of the personal data (for provision, + the recipient's retention and use period) + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1351 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1346 + description: The right to refuse consent and, if refusal results in any disadvantages, + the details of those disadvantages + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1352 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1344 + description: 'The recipient of personal data from another data processor must + not use the data for purposes other than those for which it was provided or + provide it to third parties, except in the following cases:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1353 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1352 + description: When separate consent has been obtained from the data subject + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1354 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1352 + description: When there are specific provisions in other laws + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1355 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: 'When providing personal data to a third party for purposes other + than those originally intended, the recipient should be requested to:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1356 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1355 + description: Restrict the purpose, method, duration, and form of use of the + personal data + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1357 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1355 + description: Take specific measures to ensure the security of the personal data, + and these measures should be requested in writing (including electronic documents) + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1358 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1355 + description: Clarification of Responsibilities Regarding the Recipient of Personal + Data and Measures for Ensuring Data Security + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1359 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: When a public institution uses personal data for purposes other + than those originally intended or provides it to a third party, it must publish + the necessary details about the legal basis, purpose, and scope of the use + or provision in the Official Gazette or on its website. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1360 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1359 + description: 'Exceptions to Publication in the Official Gazette or on the Website:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1361 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1360 + description: When the use or provision of personal data for purposes other than + those originally intended is based on the consent of the data subject. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1362 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1360 + description: When the use or provision of personal data for purposes other than + those originally intended is for the investigation of crimes or the initiation + and maintenance of prosecution. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1359 + description: 'Details to be Published in the Official Gazette or on the Website:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1364 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + description: The date of the use or provision of personal data for purposes + other than those originally intended. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1365 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + description: The legal basis for the use or provision of personal data for purposes + other than those originally intended. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1366 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + description: The purpose of the use or provision of personal data for purposes + other than those originally intended. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1367 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1363 + description: The items of personal data used or provided for purposes other + than those originally intended. + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1368 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1359 + description: 'Timing and Duration of Publication:' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1369 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1368 + description: "Publication Timing:\_Within 30 days from the date of the use or\ + \ provision of personal data for purposes other than those originally intended." + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1370 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1368 + description: "Publication Duration:\_If published on the website, it must remain\ + \ for at least 10 days." + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1371 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.4 + description: When public institutions or other entities use personal data for + purposes other than those initially intended or provide it to third parties, + they must record and manage this information in a 'Register of Unauthorized + Use and Provision of Personal Data.' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1372 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1371 + description: For public institutions, when personal data is used for purposes + other than those intended or provided to third parties, it must be recorded + and managed in the 'Register of Unauthorized Use and Provision of Personal + Data.' + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1373 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1371 + description: Procedures must be established to systematically respond to requests + for personal data or other materials from judicial or government authorities + (such as warrants, orders, or demands for data submission). + annotation: 'Key Points for Verification: + + - Are you using and providing personal data only within the scope of the purposes + for which consent was obtained from the data subject at the time of initial + collection or based on legal grounds? + + - If you have received personal data from a data controller, are you using + and providing it only within the scope of the purposes for which it was provided? + + - If you use or provide personal data beyond the scope of the original collection + purpose or the purpose for which it was provided by the data controller, are + you limiting it to cases where you have obtained separate consent from the + data subject or have a legal basis? + + - When providing personal data to a third party for purposes other than those + originally intended, do you request that the recipient restrict the use and + methods of the data and take necessary measures to ensure its security? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it publish the legal + grounds, purposes, and scope of such use or provision in official publications + or on its website? + + - When a public institution uses personal data for purposes other than those + originally intended or provides it to a third party, does it have procedures + in place to record and manage these instances in a log of non-purpose use + and third-party provision?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2 + ref_id: 3.2.5 + name: Processing of Pseudonymized Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When processing pseudonymous information, procedures must be established + and implemented to ensure appropriate handling of pseudonymous information, + including purpose limitation, pseudonymization methods and criteria, adequacy + review, prohibition of re-identification, and measures to be taken in case + re-identification occurs. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1376 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Pseudonymization' refers to the processing of personal data in + a way that renders an individual unidentifiable without additional information, + which can include deleting or replacing part of the data. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1377 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Pseudonymous information' refers to information that has been pseudonymized + in such a way that it cannot identify a specific individual without using + or combining additional information, and this information remains within the + category of personal data. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1378 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Pseudonymous information' refers to information that has been pseudonymized + in such a way that it cannot identify a specific individual without using + or combining additional information, and this information remains within the + category of personal data. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1379 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: According to the special provisions for pseudonymous information + processing, pseudonymous information can be processed without the data subject's + consent only for the purposes of statistical analysis, scientific research, + and public interest record preservation. Therefore, pseudonymizing personal + data for storage without a defined processing purpose does not fall under + the special provisions for pseudonymous information processing. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1380 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Procedures for pseudonymization must be established and implemented + to ensure an appropriate level of pseudonymization, taking into account the + processing purposes, usage environment, and data characteristics. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1381 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: Examples of Pseudonymization Procedures (Pseudonymous Information + Processing Guidelines) + annotation: You will find a table on page 228 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1382 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1375 + description: If separate pseudonymized data processing guidelines exist for + the relevant field, apply the contents of those guidelines as a priority. + annotation: 'Examples include: Health and Medical Data Utilization Guidelines + (Ministry of Health and Welfare), Education Field Pseudonymous and Anonymous + Information Processing Guidelines (Ministry of Education), Public Sector Pseudonymous + Information Provision Practical Guide (Ministry of the Interior and Safety), + Financial Sector Pseudonymous and Anonymous Processing Guide (Financial Services + Commission), etc.' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1383 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When pseudonymizing personal data for use or provision, it must + be processed in a manner that ensures individuals cannot be identified without + using or combining additional information. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1384 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1383 + description: 'Personal Identifiable Information: When necessary, replace it + with values that cannot identify a specific individual but can distinguish + between individuals, such as generating random values or hash values.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1385 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1383 + description: 'Identifiable Information: If not required for the pseudonymous + information processing purposes, it should be deleted. For the remaining identifiable + information, pseudonymization should be performed using appropriate methods + and levels, considering the processing purposes and the risk of identification.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1386 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When combining pseudonymous information with other data controllers, + it should be done through a designated combination expert institution or data + specialist institution. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1387 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1386 + description: If combining pseudonymous information held by different data controllers + for purposes such as statistical analysis, scientific research, or public + interest record preservation, it should be done through a combination expert + institution designated by the Personal Information Protection Commission or + relevant central administrative agencies. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1388 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1387 + description: 'Expert Institutions: Refer to the Comprehensive Pseudonymous Information + Combination Support System (link.privacy.go.kr)' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1389 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1387 + description: 'Financial Sector: When combining with datasets held by financial + companies, it should be performed through a data specialist institution in + accordance with the Credit Information Act.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1390 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1386 + description: Pseudonymous Information Processing Procedures (Pseudonymous Information + Processing Guidelines) + annotation: You will find a table on page 229 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When processing pseudonymous information, additional information + must be deleted or separated and stored/managed securely, and relevant records + must be created and maintained with necessary technical, managerial, and physical + measures to ensure security. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1392 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: '(Administrative Protection Measures) + + Establishing and implementing internal management plans to safely manage pseudonymous + information and additional information + + Managing and supervising pseudonymous information processing contractors + + Including provisions in contracts for pseudonymous information processing + tasks and third-party provision, such as prohibiting re-identification + + Establishing and disclosing privacy policies related to pseudonymous information + processing + + Implementing training on pseudonymous information protection' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1393 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: '(Technical Protection Measures) + + Separating or deleting additional information + + Restricting access rights to pseudonymous information and additional information + + Creating and maintaining records related to pseudonymous information processing' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1394 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: (Physical Protection Measures) When storing pseudonymous information + or additional information in computer rooms or data storage rooms, establish + and implement procedures such as access control to protect against unauthorized + access. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1395 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: (Other Protection Measures) Since pseudonymous information is considered + personal data, adhere to the security measures required by Article 29 of the + Personal Information Protection Act, including prohibiting pseudonymous processing + for the purpose of identifying individuals. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1396 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1391 + description: (Re-identification Monitoring, etc.) If information that can identify + a specific individual is generated during the processing of pseudonymous information, + immediately cease processing the information and take prompt action to recover + and destroy it. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1397 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: 'Processing Duration: Determine an appropriate period for processing + pseudonymous information based on its intended purpose. Destroy the information + promptly once the processing period has expired.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1398 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1397 + description: Set the processing period appropriately to achieve the purpose + of pseudonymous information processing. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1399 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1397 + description: Destroy the pseudonymous information without delay once the processing + period has expired. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1400 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.2.5 + description: When anonymizing personal data, ensure that the level of anonymization + is sufficient such that the individual can no longer be identified, considering + factors such as time, cost, and technology. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1401 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1400 + description: '"Anonymous Information" refers to data that cannot identify an + individual even if other information is used, considering reasonable time, + cost, and technology.' + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1402 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1400 + description: When anonymizing, delete personally identifiable information and + use a combination of anonymization methods to ensure that personally identifiable + information is anonymized to an adequate level. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1403 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1400 + description: To ensure the adequacy of anonymization, establish and implement + a review process, such as forming a review committee composed of internal + and external experts. + annotation: 'Key Points for Verification: + + - When processing pseudonymous information, are procedures established to + ensure appropriate handling of pseudonymous information, including purpose + limitation, pseudonymization methods and criteria, adequacy review, prohibition + of re-identification, and measures to be taken in case re-identification occurs? + + - When pseudonymizing personal data for use or provision, is the pseudonymization + performed to a degree that the individual cannot be identified without the + use or combination of additional information? + + - When combining pseudonymous information with other personal data controllers, + is the combination done through specialized institutions or data combination + organizations? + + - When processing pseudonymous information, are additional information deleted + or separately stored and managed, and are technical, managerial, and physical + measures implemented to ensure safety, including the creation and retention + of related records? + + - Considering the purpose of processing pseudonymous information, is the processing + period set to an appropriate duration, and is the information promptly destroyed + after this period expires? + + - When anonymizing personal data, is the anonymization performed to a level + where, considering time, cost, and technology, it is not possible to identify + a specific individual even with the use of additional information?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.3' + name: Protection Measures When Providing Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + ref_id: 3.3.1 + name: Provision of Personal Information to Third Parties + - urn: urn:intuitem:risk:req_node:k_isms_p:node1406 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When providing personal data to third parties, you must clearly + identify and comply with legal requirements, such as obtaining the data subject's + consent and adhering to legal obligations, to ensure the lawful provision + of personal data. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1407 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1406 + description: 'Scope of Third Parties:' + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1408 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1407 + description: All entities except for the data subject and the personal data + controller who collects and retains the data (departments and organizations + within the same personal data controller are not considered third parties). + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1409 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1406 + description: 'For each method of providing personal data, clearly identify the + legal requirements for data provision and maintain related evidence to prove + compliance:' + annotation: For example, if personal data is provided without the data subject's + consent due to specific legal provisions or to comply with legal obligations, + document the relevant legal provisions or regulations. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1410 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1406 + description: 'A personal data controller may provide (including sharing) personal + data to a third party in the following cases:' + annotation: (Specific details to be listed depending on the applicable laws + or regulations.) + - urn: urn:intuitem:risk:req_node:k_isms_p:node1411 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: Consent for providing personal data to a third party must be obtained + separately from consent for collection and use. If providing data to a third + party is not essential for performing the core functions of the service, then + service provision should not be refused on the grounds of not consenting to + the third-party data provision. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1412 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When obtaining consent from the data subject for providing personal + data to a third party, relevant information must be clearly communicated, + and important details required by law must be explicitly indicated to make + it easily understandable. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1413 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1412 + description: When obtaining consent for the provision of personal data to a + third party from the data subject, five statutory notices must be communicated + in a specific and clear manner. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1414 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1412 + description: "For consent from the data subject to be lawful, it must meet all\ + \ legal requirements, including the data subject\u2019s free will in making\ + \ the decision, and the specificity and clarity of the consent details." + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1415 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1412 + description: 'According to Article 22, Section 2 of the Personal Information + Protection Act, when obtaining consent for the processing of personal data + in writing (including electronic documents as defined in Article 2, Section + 1 of the Electronic Transactions Basic Act), important details must be clearly + highlighted and made easily understandable as follows:' + annotation: For detailed information, refer to the 'User-Friendly Personal Data + Processing Consent Guide' (Personal Information Protection Commission). + - urn: urn:intuitem:risk:req_node:k_isms_p:node1416 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When providing personal data to a third party, it must be limited + to the minimum necessary data items that match the purpose of the provision. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1417 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1416 + description: 'When providing data based on consent: Only provide the minimum + necessary personal data required to achieve the purpose disclosed at the time + of consent.' + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1418 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1416 + description: 'When providing data based on legal grounds: Provide only the minimum + necessary personal data required as specifically stated by the law or to comply + with legal obligations.' + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1419 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: During the process of providing personal data to a third party, + ensure that the data is protected from exposure or leakage by using secure + procedures and methods, and record and store the related provision details. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1420 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When allowing third parties access to personal data, control access + according to protection procedures to ensure the data is safely protected. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1421 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1420 + description: Implement secure authentication and access control measures to + ensure only authorized individuals can access the data. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1422 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1420 + description: Use encryption measures to prevent eavesdropping during transmission. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1423 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1420 + description: Maintain access logs to ensure accountability and traceability. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1424 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.1 + description: When providing additional personal data without the information + subject's consent, establish and implement criteria for considerations such + as relevance to the original collection purpose, predictability, potential + harm to interests, and safety measures. If additional provision of data continues + to occur, disclose this in the personal data processing policy and check for + compliance with these criteria. + annotation: 'Key Points for Verification: + + - When providing personal data to third parties, are legal requirements such + as obtaining the data subject''s consent and compliance with legal obligations + clearly identified and followed? + + - When obtaining consent from the data subject for providing personal data + to third parties, are the relevant details clearly communicated, and is consent + obtained in a manner that distinguishes it from other consent matters? + + - When obtaining consent from the data subject for providing personal data + to third parties, is the information clearly communicated, and are critical + details required by law clearly marked to ensure easy understanding? + + - When providing personal data to third parties, is the information limited + to the minimum necessary items for the purpose of provision? + + - When providing personal data to third parties, are secure procedures and + methods used, and are records of the provision kept? + + - When allowing third parties access to personal data, is the data controlled + according to protection procedures to ensure its security? + + - When providing additional personal data without the data subject''s consent, + are criteria established and implemented for assessing relevance to the original + collection purpose, predictability, potential harm, and safety measures? Additionally, + if such additional provision continues, are these criteria disclosed in the + privacy policy and monitored ?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + ref_id: 3.3.2 + name: Outsourcing of Personal Information Processing Tasks + - urn: urn:intuitem:risk:req_node:k_isms_p:node1426 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.2 + description: When outsourcing (including subcontracting) personal data processing + tasks to a third party, the details of the outsourced tasks and the subcontractor + must be continuously updated and made publicly available on the website, so + that data subjects can easily check them at any time. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1427 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1426 + description: 'Information to be provided to data subjects:' + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1428 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1427 + description: Details of the outsourced tasks. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1429 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1427 + description: The third party (subcontractor) responsible for processing the + personal data. + annotation: The term "subcontractor" includes third parties (sub-subcontractors) + who receive tasks from the original subcontractor. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1430 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1426 + description: 'Disclosure methods for personal data processing outsourcing details + (according to Article 28(2) and (3) of the Enforcement Decree of the Personal + Information Protection Act):' + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1431 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1430 + description: Posting the details of the outsourced tasks and the subcontractor + on the website of the outsourcing party. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1430 + description: 'If posting on the website is not possible, one or more of the + following methods should be used:' + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1433 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + description: "1. Posting in a visible location at the outsourcing party\u2019\ + s business premises." + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1434 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + description: "2. Publishing in the Official Gazette (only if the outsourcing\ + \ party is a public institution) or in general daily newspapers, weekly newspapers,\ + \ or online newspapers that are distributed in the region where the outsourcing\ + \ party\u2019s business is located, as defined by the Newspaper Promotion\ + \ Act." + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1435 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + description: 3.Including in publications, newsletters, promotional materials, + or invoices distributed to data subjects at least twice a year under the same + title. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1436 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1432 + description: 4.Including in contracts or agreements made between the outsourcing + party and the data subject for the provision of goods or services. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1437 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1426 + description: 'Important considerations:' + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1438 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1437 + description: Even if there are many subcontractors, all subcontractor names + must be listed and disclosed. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1439 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1437 + description: If there is subcontracting, information about the subcontracting + must also be disclosed. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1440 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1437 + description: If the content of the outsourced tasks or the subcontractor changes, + the updated information must be promptly reflected and disclosed on the website + or through other means. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1441 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.2 + description: When outsourcing tasks related to promoting or selling goods or + services, the details of the outsourced tasks and the subcontractor must be + communicated to the data subject via written methods such as email, text messages, + etc. + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1442 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1441 + description: "Notification methods:\_Written methods (including written documents,\ + \ email, fax, phone, text messages, or equivalent methods)" + annotation: 'Key Points for Verification: + + - When outsourcing (including subcontracting) personal data processing tasks + to a third party, is the content of the outsourced tasks and the subcontractor + updated and publicly disclosed on the website? + + - When outsourcing tasks related to promoting or selling goods or services, + are the content of the outsourced tasks and the subcontractor notified to + the data subjects via written documents, emails, text messages, or other methods?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1443 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1441 + description: "Notification details:\_Content of the outsourced tasks, subcontractor" + annotation: For matters related to the outsourcing of personal data processing + tasks, such as outsourcing contracts, consent for subcontracting, and management + and supervision of subcontractors, refer to the certification standards for + the "External Security" section (2.3). + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + ref_id: 3.3.3 + name: Transfer of Personal Information Due to Business Transfer, etc. + - urn: urn:intuitem:risk:req_node:k_isms_p:node1445 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.3 + description: 'When transferring all or part of a business, or in cases of mergers, + where personal data is transferred to another party, the following information + must be provided to the data subject in advance:' + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1446 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1445 + description: 'Information to be Provided:' + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1447 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1446 + description: The fact that personal data is being transferred. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1448 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1446 + description: The name, address, phone number, and other contact details of the + person receiving the personal data. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1449 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1446 + description: Methods and procedures for the data subject to take action if they + do not wish for their personal data to be transferred. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1450 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1445 + description: 'Methods of Notification:' + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1451 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1450 + description: Through email, written notice, fax, phone, or similar methods. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1452 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1450 + description: "If the data subject\u2019s contact information cannot be obtained\ + \ without negligence, the information should be posted on the website for\ + \ at least 30 days." + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1453 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1452 + description: If the transferor does not operate a website, the information should + be posted at a visible location at their business premises for at least 30 + days. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1454 + assessable: true + depth: 7 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1452 + description: Alternatively, the information can be published in a daily newspaper, + weekly newspaper, or online newspaper within the main distribution area of + the business location according to the Newspaper Promotion Act. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1455 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.3 + description: If the transferee is subject to legal notification requirements, + they must promptly inform the data subject of the fact that they have received + the personal data and other necessary details. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1456 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1455 + description: If the transferor has already notified the data subject of the + transfer, the transferee does not need to provide additional notice. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1457 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1455 + description: However, if the personal data has been transferred without the + transferor notifying the data subject, the transferee must inform the data + subject of the transfer. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1458 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.3 + description: The recipient of the personal data must use the data only for the + original purposes at the time of the transfer or provide it to third parties + only for those purposes. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1459 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1458 + description: If the recipient of personal data intends to use or provide the + data beyond the original purpose for which it was transferred, they must obtain + separate consent from the data subject. + annotation: 'Key Points for Verification: + + - When transferring all or part of a business, or in cases of mergers, is + the data subject informed in advance of the necessary details regarding the + transfer of personal data? + + - If the person receiving the personal data is subject to legal notification + requirements, are they promptly informing the data subject of the fact of + receiving the personal data and other necessary details? + + - Is the person receiving the personal data using it only for the original + purposes at the time of the transfer, or not providing it to third parties?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.3.4 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3 + ref_id: 3.3.4 + name: International Transfer of Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:node1461 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.4 + description: When providing (including in cases of retrieval), outsourcing, + or storing personal data to a third party abroad (hereinafter referred to + as 'transfer'), all required notifications about the overseas transfer must + be provided to the data subject, and separate consent must be obtained or + legal requirements such as certification or acknowledgment must be complied + with. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1462 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1461 + description: 'Conditions under which the transfer of personal data abroad is + permissible (Article 28-8, Paragraph 1 of the Personal Information Protection + Act):' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1463 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1461 + description: When agreeing to transfer personal information overseas, all five + items below must be notified and consent must be obtained. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1464 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.4 + description: 'When outsourcing the processing or storage of personal data abroad + for the purpose of contract execution with the data subject, the following + must be communicated adequately:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1465 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1464 + description: 'Methods for Informing the Data Subject:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1466 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1465 + description: 1. Disclosure in the Privacy Policy. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1467 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1465 + description: "2. Written methods\_(such as written notice, email, fax, phone,\ + \ text messaging, or similar methods)." + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1464 + description: 'Information to be Provided to the Data Subject:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1469 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 1.The items of personal data being transferred. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1470 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 2. The countries, timing, and methods of data transfer. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1471 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 3. The name (or designation and contact information, if a corporation) + of the entity receiving the data. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1472 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 4.The purpose and retention period of the data by the recipient. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1473 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1468 + description: 5. How to refuse the data transfer, the procedure for refusal, + and the consequences of refusal. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1474 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.3.4 + description: Contracts for overseas transfers must comply with data protection + laws and include terms related to the protection of personal data. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1475 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1474 + description: 'Key Aspects to Include in the Contract:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1476 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1475 + description: 1. Safety measures for data protection as per Article 30(1) of + the Enforcement Decree of the Personal Information Protection Act. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1477 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1475 + description: 2. Measures for handling complaints and resolving disputes related + to data breaches. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1478 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1475 + description: "3. Additional necessary measures for protecting the data subject\u2019\ + s personal data." + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1474 + description: 'Protection Measures Required for Overseas Transfers:' + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1480 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: 1. Compliance with relevant regulations on overseas data transfers + under the Personal Information Protection Act. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1481 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: 2. Adherence to Articles 17 through 19 of the Personal Information + Protection Act. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1482 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: "3. Compliance with Chapter 5 of the Personal Information Protection\ + \ Act, concerning the protection of the data subject\u2019s rights." + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1483 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: 4. Safety measures as per Article 30(1) of the Enforcement Decree + of the Personal Information Protection Act. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1484 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: 5. Measures for handling complaints and resolving disputes related + to data breaches. + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1485 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1479 + description: "6. Additional necessary measures to protect the data subject\u2019\ + s personal data." + annotation: 'Key Points for Verification: + + - When transferring personal data abroad, are all required notifications about + the overseas transfer provided to the data subject, and is separate consent + obtained or are legal requirements such as certification or acknowledgment + being complied with? + + - When notifying the data subject about the overseas processing and storage + of personal data for the purpose of fulfilling a contract with them, is all + necessary information included and communicated in an appropriate manner? + + - Are contracts related to the overseas transfer of personal data being executed, + including compliance with data protection laws and regulations? + + - When transferring personal data abroad, are necessary measures being taken + to ensure data protection?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.4' + name: Protection Measures When Destroying Personal Information + - urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4 + ref_id: 3.4.1 + name: ' Destruction of Personal Information' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1488 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + description: 'Internal policies regarding the retention period and destruction + of personal data should include the following:' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1489 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1488 + description: 'For each collection item, purpose, and method: Storage location + (e.g., databases, backup data), destruction method, timing of destruction, + and legal basis.' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1490 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1488 + description: Public institutions must establish and implement a personal data + destruction plan reflecting the retention period and processing purpose of + personal data files and may include this plan in their internal management + plan. (Standard Personal Data Protection Guidelines, Article 55, Paragraph + 2) + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1491 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + description: When the purpose of processing personal data is achieved or the + retention period has expired, the data must be destroyed without delay. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1492 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1491 + description: When personal data is no longer needed, due to achievement of processing + purposes, discontinuation of the service, termination of business, or expiration + of the legal retention period, the data must be destroyed within 5 days unless + there is a valid reason. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + description: When destroying personal data, it must be done in a manner that + prevents recovery or reconstruction. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1494 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: Complete destruction (e.g., incineration, shredding) + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1495 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: Use of specialized equipment (e.g., devices that use magnetic fields + to delete data from storage) + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1496 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: Initialization or overwriting to prevent data recovery + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1497 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: 'If only part of the data is destroyed, and the above methods are + difficult, implement the following measures:' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1498 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1497 + description: '1. For electronic files: Manage and supervise to prevent recovery + and reconstruction after deletion.' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1499 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1497 + description: '2. For non-electronic records, printed materials, written documents, + etc.: Delete using methods such as masking or punching.' + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1500 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1493 + description: If the above methods are significantly difficult due to technical + reasons, process the data as information covered by Article 58-2 of the Act + (anonymization) to make recovery impossible. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1501 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.1 + description: Records of personal data destruction must be maintained and managed. + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1502 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1501 + description: "The destruction and results\_must be verified under the responsibility\ + \ of the personal data protection officer, and matters related to destruction\ + \ must be recorded and managed." + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1503 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1501 + description: "Records of destruction\_should be recorded in a destruction management\ + \ ledger or stored as records, such as photos of the destruction." + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1504 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1501 + description: "Public institutions\_must verify the destruction results and create\ + \ a destruction management ledger for personal data files. (Standard Personal\ + \ Data Protection Guidelines, Article 55)" + annotation: 'Key Points for Verification: + + - Are the following practices in place regarding the retention and destruction + of personal data? + + - Have internal policies been established regarding the retention period and + destruction of personal data? + + - When the purpose of processing personal data is fulfilled or the retention + period expires, is the data destroyed without delay? + + - When destroying personal data, is it done in a manner that prevents recovery + or reconstruction of the data? + + - Are records of the destruction of personal data maintained and managed?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4 + ref_id: 3.4.2 + name: Measures When Retaining Information After Achieving Processing Purpose + - urn: urn:intuitem:risk:req_node:k_isms_p:node1506 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + description: If personal data is retained beyond the retention period or after + the purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, it must be managed to retain only the + minimum information necessary for the minimum period required by those laws. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1507 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1506 + description: "Limit the personal data items\_to the minimum required for the\ + \ intended purpose." + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1508 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1506 + description: "Set the retention period\_according to the minimum duration specified\ + \ by the relevant laws." + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1509 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + description: 'If personal data is retained beyond the retention period or after + the purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, the personal data or personal data files + must be stored and managed separately from other personal data. + + ' + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1510 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1509 + description: "Separate databases\_should be configured either physically or\ + \ logically." + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1511 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + description: "Manage the separated personal data\_so that it can only be processed\ + \ within the scope of purposes specified by the laws." + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1512 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1511 + description: Separated personal data must not be used for purposes other than + those specified by law, such as marketing. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1513 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.4.2 + description: Access to separated personal data should be restricted to the minimum + number of people. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1514 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1513 + description: Limit access permissions to the smallest number of individuals + for separated databases. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1515 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1513 + description: Maintain access logs for separated databases and review them regularly. + annotation: 'Key Points for Verification: + + - When personal data is retained beyond the retention period or after the + purpose of processing has been achieved, without destruction in accordance + with relevant laws and regulations, is it managed to retain only the minimum + information for the minimum period required by those laws? + + - If personal data is retained beyond the retention period or after the processing + purpose has been achieved, is the data or personal data file stored and managed + separately from other personal data? + + - Is the retained personal data managed to ensure it is only processed within + the scope of the purposes specified by the law? + + - Is access to the retained personal data limited to the minimum number of + authorized personnel?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3 + ref_id: '3.5' + name: Protection of Data Subject Rights + - urn: urn:intuitem:risk:req_node:k_isms_p:3.5.1 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5 + ref_id: 3.5.1 + name: Disclosure of Personal Information Processing Policy + - urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.1 + description: The privacy policy must be written in a clear and specific manner + using easy-to-understand terms, including all content required by law. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1519 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: Mandatory items to include in the privacy policy (refer to Article + 30 of the Personal Information Protection Act and Article 31 of the Enforcement + Decree of the same Act). + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1520 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: Other items to include in the privacy policy (refer to Article + 19 of the Standard Privacy Protection Guidelines). + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1521 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: For personal data that can be processed without consent, differentiate + it from personal data that requires consent by disclosing the items and legal + grounds for processing in the privacy policy. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1522 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: The content of the privacy policy, including the purpose of processing, + the items of personal data processed, and third-party provision details, must + accurately reflect the actual data processing situation and be written clearly + and specifically in easy-to-understand terms, considering the characteristics + of the service and the data subjects. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1523 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1522 + description: 1. Establish specific and appropriate details on processing grounds, + data subject rights, and other legally required aspects. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1524 + assessable: true + depth: 6 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1522 + description: 2. Prepare the privacy policy in clear and understandable language + for the data subjects. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1525 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1518 + description: In cases where exceptions apply under the Personal Information + Protection Act, it may not be necessary to establish a privacy policy. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1526 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.1 + description: The privacy policy must be continuously updated and made accessible + on the internet homepage or other platforms so that data subjects can easily + review it. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1527 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1526 + description: Use the standardized term "Privacy Policy". + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1528 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1526 + description: When posting on the homepage, differentiate it from other notices + by using font size, color, etc., to make it easily noticeable to data subjects. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1529 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1526 + description: If no website is available, the privacy policy can be disclosed + using other legally prescribed methods. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1530 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.1 + description: When changes are made to the privacy policy, promptly notify the + reasons and details of the changes, and ensure that data subjects can easily + access and understand the updated information. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1531 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1530 + description: Compare and disclose the changes before and after the update so + that data subjects can easily review the modifications. + annotation: 'Key Points for Verification: + + - Has the privacy policy been written in a way that includes all the legal + requirements and is clear and specific in easy-to-understand terms? + + - Is the privacy policy continuously updated and publicly available on the + website or other accessible platforms so that individuals can easily review + it? + + - When changes are made to the privacy policy, are the reasons for and details + of the changes promptly communicated, and are measures in place to ensure + that individuals can easily see the updated information at any time?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5 + ref_id: 3.5.2 + name: Guaranteeing the Rights of Data Subjects + - urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: The method and procedure for exercising the rights to access, correct, + delete, suspend processing, and withdraw consent regarding personal information + (hereinafter referred to as 'requests for access, etc.') by the data subject + or their representative must be established and disclosed in a manner that + is not more difficult than the methods and procedures for collecting personal + information. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1534 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: A specific method and procedure must be established for the data + subject to make requests for access, etc., and this must be made easily accessible + to the data subject. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1535 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: The method and procedure for the data subject to exercise their + rights must be at least as easy and convenient as the procedure for collecting + personal information or signing up as a member, and additional documents that + were not required during the collection of personal information should not + be requested. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1536 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: It is necessary to provide a variety of methods for exercising + these rights (e.g., in-person, written request, phone, email, website) to + ensure the data subject can choose the most convenient option. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1537 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: It must be verified that the person making the request for access, + etc. is the data subject themselves or a legitimate representative. The verification + method should be an objectively recognized reasonable means (e.g., electronic + signature, i-PIN, ID verification, etc.). + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1538 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: If the personal information controller is a public institution, + identity verification should be conducted through the joint use of administrative + information in accordance with the "Electronic Government Act" if possible. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1539 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1533 + description: You may charge the person requesting access, etc., a fee and postage + within the scope of the actual cost required to perform the related work. + However, if the reason for the request is due to the personal information + controller, fees and postage cannot be charged. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: When the data subject or their representative requests access to + personal information, the necessary measures must be taken within 10 days + to allow the data subject to view the relevant personal information. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1541 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + description: 'The data subject may request access to the following items regarding + their personal information processed by the personal information controller:' + annotation: You will find it on page 253 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1542 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + description: If there is a legitimate reason why access cannot be provided within + 10 days, the data subject must be informed of the reason, and the access can + be postponed. After the reason for the postponement has been resolved, access + to the personal information must be granted within 10 days from the date the + reason is resolved. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1543 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + description: If there is a reason to restrict or deny access to personal information, + the data subject must be informed of the reason, and access may be restricted + or denied + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1544 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1540 + description: If certain parts of the requested information have reasons for + access restriction or denial, access to those specific parts can be restricted, + while allowing access to the remaining parts. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1545 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: If you are subject to legal obligations, procedures and measures + must be established and implemented to respond to requests for the transfer + of personal information from the data subject or their representative. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1546 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1545 + description: The legal obligations to respond to a data subject's request for + the transfer of personal information (data transferor). + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1547 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1545 + description: 'Information that can be requested for transfer (personal data + that meets all of the following requirements):' + annotation: You will find it on page 254 + - urn: urn:intuitem:risk:req_node:k_isms_p:node1548 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1545 + description: 'Requirements for the personal information processor who can receive + the transferred personal data under the transfer request (information recipient):' + annotation: The amended provisions of the Personal Information Protection Act + related to the right to data portability (Article 35-2) will come into effect + from the date specified by Presidential Decree, which will be within one to + two years after one year has passed since its announcement (March 14, 2023). + - urn: urn:intuitem:risk:req_node:k_isms_p:node1549 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: 'When the data subject or their representative requests correction + or deletion of personal information, if the request is deemed justified, the + personal information must be examined within 10 days, and actions such as + correction or deletion must be taken accordingly, with the results communicated + to the data subject:' + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1550 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1549 + description: Respond with the results of the action within 10 days of receiving + the request for correction or deletion of personal information. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1551 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1549 + description: If the personal information has been outsourced or provided to + a third party, notify the contractor or third party to take action upon receiving + the correction request or withdrawal of consent. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1552 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1549 + description: If the collection of that personal information is specified by + other laws, the request for deletion may be refused. In such cases, the decision + not to comply, the content of the relevant laws, the reasons, and the methods + for objection must be communicated to the data subject within 10 days of receiving + the correction or deletion request, using a personal information correction + or deletion notification (e.g., records related to contract or withdrawal + of subscription under the Electronic Commerce Act). + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1553 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: 'When the data subject or their representative requests the suspension + of personal information processing, unless there is a special reason, the + processing must be partially or fully suspended immediately, and the result + must be communicated to the data subject:' + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1554 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1553 + description: Respond with the results within 10 days of receiving the request + for suspension of personal information processing. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1555 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1553 + description: If there are reasons to refuse the suspension of personal information + processing, notify the requester within 10 days of receiving the request. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1556 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: When the data subject or their representative withdraws consent + for the collection, use, or provision of personal information, necessary actions, + including the immediate destruction of the collected personal information, + must be taken. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1557 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: When the data subject or their representative requests to refuse + or obtain an explanation for decisions made through fully automated systems + (including those using artificial intelligence technology), necessary actions + must be taken. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1558 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1557 + description: The data subject has the right to refuse automated decisions or + request an explanation. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1559 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1557 + description: If the data subject requests to refuse or seek explanations for + automated decisions, unless there are legitimate reasons, the automated decision + should not be applied, or necessary actions such as human intervention or + reprocessing and explanations should be taken. Procedures should be established + and implemented accordingly. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1560 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1557 + description: When making automated decisions, the criteria and procedures for + the automated decision, as well as how personal information is processed, + should be disclosed in a manner easily accessible to the data subject. + annotation: 'Note: The revised provisions of Article 37-2 of the Personal Information + Protection Act related to refusal and explanation of automated decisions will + come into effect one year after its promulgation (March 15, 2024).' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1561 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: "If there is any dispute regarding the measures taken in response\ + \ to the data subject\u2019s request for access or other actions, necessary\ + \ procedures must be established to allow for objections." + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1562 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1561 + description: In such cases, the objection procedures should be operated fairly, + possibly involving external experts or internal checks and balances. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1563 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: Records of the data subject's requests and the results of processing + those requests must be maintained. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1564 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1563 + description: Regular reviews of records related to data subject requests should + be conducted to ensure that rights are being appropriately protected, and + corrective measures should be taken if necessary. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.2 + description: When personal rights are infringed upon through information communication + networks, procedures must be established and implemented to allow the affected + party to request the deletion of the information or other remedies from the + information communication service provider, and necessary measures should + be taken to prevent personal information from being exposed to the public + through these networks. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1566 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + description: If personal information is disclosed to the public through information + communication networks and infringes on privacy or defames others, the affected + party should be able to request the deletion or posting of rebuttals from + the service provider by proving the infringement. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1567 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + description: If a service provider receives a request to delete or take temporary + action regarding information that infringes on others' rights, they must take + necessary actions promptly and notify the requester and the information publisher + immediately. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1568 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + description: The terms and procedures related to remedies for infringed rights + should be clearly specified in the terms of service. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1569 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1565 + description: Personal information controllers must ensure that unique identification + information, account information, credit card information, and other personal + data are not exposed to the public through information communication networks, + and must take necessary actions, such as deleting or blocking the information, + if requested by the Personal Information Protection Commission or the Korea + Internet & Security Agency. + annotation: 'Key Points for Verification: + + - Has a method and procedure been established and disclosed that allows data + subjects or their representatives to exercise their rights to access, correct, + delete, suspend processing, and withdraw consent (hereinafter referred to + as ''requests for access, etc.'') without being more difficult than the methods + and procedures for collecting personal information? + + - When a data subject or their representative makes a request for access, + etc., are the necessary actions being taken within the required timeframe? + + - When a data subject or their representative withdraws consent for the collection, + use, or provision of personal information, are necessary actions, such as + promptly destroying the collected personal information, being taken without + delay? + + - In case the data subject is dissatisfied with the actions taken in response + to their request for access, etc., is a procedure in place to allow them to + file an objection, and is this procedure being communicated to them? + + - Are records being kept regarding the data subject''s requests for access, + etc., and the results of those requests? + + - Is a procedure in place and being implemented that allows individuals who + have had their privacy or reputation infringed upon by someone else on the + information network to request the deletion of that information from the information + and communications service provider?' + - urn: urn:intuitem:risk:req_node:k_isms_p:3.5.3 + assessable: false + depth: 3 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5 + ref_id: 3.5.3 + name: Notification to Data Subjects + - urn: urn:intuitem:risk:req_node:k_isms_p:node1571 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.3 + description: 'If the entity is subject to legal obligations, they must periodically + notify the data subject of the method to access information systems where + they can verify the details of personal data usage or provision. + + ' + annotation: 'Key Points for Verification: + + - If the entity is subject to legal obligations, are they regularly notifying + the data subject of the method to access information systems that allow for + checking the details of personal data usage or provision? + + - Are the notification items regarding personal data usage and provision details + including all legally required items?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1572 + assessable: true + depth: 5 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:node1571 + description: Legal Requirements for Notifying Personal Data Usage and Provision + Details + annotation: 'Key Points for Verification: + + - If the entity is subject to legal obligations, are they regularly notifying + the data subject of the method to access information systems that allow for + checking the details of personal data usage or provision? + + - Are the notification items regarding personal data usage and provision details + including all legally required items?' + - urn: urn:intuitem:risk:req_node:k_isms_p:node1573 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:k_isms_p:3.5.3 + description: The notification of personal data usage and provision details must + include all legally required items. + annotation: 'Items to Include in the Notification of Personal Data Usage and + Provision Details + + 1. The purpose of collecting and using personal data and the items of personal + data collected. + + 2. The recipients of the personal data and the purpose of provision, as well + as the items of personal data provided (excluding information provided under + the Communication Privacy Protection Act, Articles 13, 13-2, 13-4, and the + Telecommunications Business Act, Article 83, Paragraph 3).' diff --git a/tools/K ISMS-P/K-ISMS-P.xlsx b/tools/K ISMS-P/K-ISMS-P.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..071d004812cb38ea57e4896b98db180480d8f26e GIT binary patch literal 137190 zcmeGDWm}!m5+(>^L4pRCAPEi|cb6m(oIr5jxVw7@?zV9ckl^m_uEE{i-QS0t({J}o z&-{WOJ^s$Gmx6`EhJuGego1+l0ELOaykr0k1%>|x3JMDf5k}*awUvXR zm4nWAR~tinEk+kh3$koD7@ABd7-0SX_w|3U1-jx!tvZ-ddQM`m(UeLQiB_3qu>3op z-*f#cN9ZH`L_R?gg6dbBL8P0UhxSu=KKC2Z!-JQtK6>v#j}d*4NfZ5-*4oeR5 zB1*^{2t2!2R)$-|zB#Gts4Rqn9nuU8hH~c5O_ag9-weEO)izDU!l$iCS1 zJEOfZ&ciQ~X(Q^vsF=)Jx?9jqxEaU|7W>5cEn53~C%&EKR(@nC`UzgQUNoAdP)gF< zs!|B5N@g2|h-ne@@A5C|p<)EJJA$hjKfdMVdh119dq~`Vj%XLM#aQ8s+H>`yjTwse zBew*t=6ZW$3T$f@BHo98bl&ZT_A(<~Uwz;U79?}F`#D)yWpUHi3 z+N8B{n#)RKBXkI?mA1FM1k&&21r|#F|B{^5O3dV!K*UJ{xrYoSr;eSWg*_AF>-YaJ zDgO`7#Q){$MKLmRoy;f!Ctn`}`);O|qA*0IoJGDie)#U?Be95H9iBr$wA4!d9^*Tq zAFQ}{v)ALm!V-V@e&2`db@rlAOl&^#8t3AGgnL^@1Uf1^h?s5BTGu$>aUtQptLXp^_yw6wN_PGE(`KW3w!)denW* z`~;?xG7eLa53SC@6+|&+njkm3&k;5&T^mEW00AyT$M0LQGAQd?Jo_7lZs?zrsfd|6 z#uggRCSUAOHAQao=FB9NETF;tc2wHx@=COr-c5}3vJjrS=H8l$ozsJMAu(qBC5bXe z+wbj|+EY`Ki!fDQWS(n6V!S;kqGhdN?T%j|BYSMIJpASB&FB^TX=QHKy7*7*gz%=- z>SrHZNIzG~EuuKu)Pi|D`M;`sSU6Hq=#$2AXQ=l@LS0PSR=DWA@Pk%^Q1b}cQ0CH4Y=Y55k5?ZGd{MAIm?Cu`+KISIz!59wLJ^ZZ-Kz~(&vq8U_|q%i zt8{Yvcfff1mNLh5Q4ikx21%Q`EUR2ub8wed{)j6}XOXqb6R%nhGAsNvT=It%DbXuW z(M}EfMdS}f^zp&!i|@wTQ?DwN(y_Cd2ZpBajjaPZK~l7FANp@H0mz9eRhwoU(#_fW z)D>uR&gl0C1Jz`I1`Xs5?O)yLc&a5lpCNc&2*xg>a&!|xhly@TODYU~7v0l84;zWY z9s_c%*|o>d&?7$W24*chFcL##j-$u5o~ST+l&Q`4vmR!Jp`h>Yl zkQ;bPJhLp)pfwI>;XyH<%Zz!crBtIYQTxkFTinuj$ih%8XYDO4*(=Jn-_#V(QPl*9 z`M@CaF>pPFX)dVx8a#X-sKK|Z+5FiGit&@piXS{)=+RQDV?y89z?R|~6?)Jj8l_@8 zS{ovnU+P~raU4rS*y@l>9@zJr95oV03-#2-tqo1=&khbElTuJri$m%+Hg;fzWG7IhFHU_=c2DuM~=uRps)~$J;*~eTB zCQWx*-fwK|o7y_6a#P)D5uN2nJ8a%wwGxc9J)~-zz8BIq<$mN%k}IidCLP9;JFD(# zrwIFTaOAhgerqpypTj5m((6Nl$=Iu$=SCgdz5=BD{|*Y0fAaM1ff;cC7zm*dp#f0% zPx1U;q2YfNQfPqP0?_h*_E%HPuvr%~%Fh%37QgXk+n8th0bX}n|K^$n1m<$gKp6}D zKSHh#$#KV=Wxo=}awym@ScZ%qcrMq8$sLzzX)4~sHO!}sRKL}}kyE)L3#w*oxIx1S z`&w4a$iz81Yc4Bi&?x-z54VDDQm0?sca8V#hJu+=2|c|c_JsQMekJG)U(~km(!yFf zGLub1(!OChZxeQTq4eKbTduHcg-5n{5sjS@Aom9&$7V(_RQxb~)W%hVdE=U%r5U@{ z*$b=oSq3PrwDJ)Ghr+Yp$w*1RKX>fJDM?{`7oTs93RO8ZJWlt|D0`*M2rVWDd~ z<(GZr|EI{wRPUpR1fs^~E$}D;LgK&W#NNcv(7~SR-w&48x{?~ZV79@G5paTck0yE( z;Spj_CM!|FvCx=%xTYT6TOMTKO1aflanhonFM;ff`4%D$NwhZNe;Fc)RF4)=rIv}E zG{I1S31`l=;N*F_%R%gk;~q_kp`R3%m0R82cw8Gi)IFS@f=VaLvgIjmw$2aZ`R2E6 zrK@gon#ZbaADQ9QscG(;&>X7_LhB4OWh8Q=l0FhZQB+cBQz3UEB=inYm0#36X*vT(dku<Q4Y$rVMot6#tGSi;#gRtZ7y(;I9`z+}n!8l6aVT$eB(L+3JBFOAf88gK4o`8v zlL_TS0sprhJR&^Ld0XU*>aHkiI30Rg=-4L4%*x&jlM;ME>NjALJEzD&ESFV&D@=85 z>^C{jXA%}QMdv@sn}wrQz+lI z!e-&XQJ)O(rH1jt2ZZC<%*JW$Ec6dw#g7BxwF%rkvB?yXL~tJ})Ft`%8wZHajW)}! z=J!jTNjJd(IWZSjRU$esWT76LkdbuD4b(>l#0ykM+?A@ULMS`KPhry*DJEm20c4?F zoAV}z_-G#Z`gdIFXJmX(^kl9z<{@>xB zdMIC2Gy@8%*#hqWEs0tGo5T?*uSraQMGRV@-o{W35>;NXm^jv&I$E2@$12j5w%qw! zaI)MUW%28Kp#!BZic5>Pmr>#psX@4tCQ(*0%7Z>S`7*OokWt#2wT?;-9J#)!;+Q%I zf2X+B>C@v=s zZD|S|)MF$?PvlSWxw?X> zdi~4l8{2z?QDc7}H0P42ZNmW4$35{`OfYLk{kwa{+hxt7=-fNDQl8591|DHvw3HbH zM-6!Gs?M+}^woRk>AHakggr+m>@=0&Uc9Cfw#Qv@r0*79ylc;B-}}|B?L6u9w&0&C z#dtV8vi3={%W(ce54>U8tEtiX`;3KmFwiksSK0m@bY3k=8!ugw^ji{ z^!wo6_6EODvT}szoxlPOy?IJ{;4#TTLI2z{6!spB4Vtj4;Fb*aZ|*o6lBjIKr!CT# zXX}^i(b3kY3+vYBt=5-=m#4kfm;1q^1fi#mm&YTamk%%Zq>VPlGF0z24(Gz})j- z#`E2b&hv-X=jVf?=LDgb=L4PR#~YG!A|%(_s0@nDy-$LXQ7Ml*k5Z(9+Xq4QDN$R2 z=y!smkihWzX7Dq}(v!o*7IoUFM9AxIa^>Yj==o0Pw{gL_sk1_57M2C zd3B!?qbQ&Inp^7cu?}q$jXF@4KgbAG#-saDt>lO0*jvg*@i|)B7`fH#(gJ4|B*uMIB>b zgxrTFdw!-rUxm0xO}+ zZ+lg>=(~R#{)}kvIs}}(q;whZTC@KBE?WKQh~P7!%oooqnKr%pX$3@sbKqGWsZe=# zsMCemOLmcx3>K^lSKw;!ZM^y-`($k(%(1U8@<{XFDo-Wda7#Ms7{c+J- zXrcV&Ug{xdn4#sK=@{biS^t+veva#1J7~eADY;2}AXM=0QfP#=khS=q_?3+%p5RaR zrP~XM{pgHH=ebQ$E0zaQ=*BNJ)#vU_v83V_^$=z=LDsv!B*Sw|NAi`)4rO<9QpFxd zZnpfS2#%IRn{q{G%5FK3^mD(6jOM=s#@hISceZ0v=hP9jb5>KX4HuN2uhNnfdw{Sr zs9LPLkbb;WCM69c-gwv3L<`uS-JGh3{?-6c54T* zV#iDXt6gyay45~C;-pfW9WD*(^Cwj=6DA&`7^@#p0b^#ZnmlL{&3`o^@2npl*mhs? zM0S!+E8ABmd9!)%oR$O58y(M6z&w)0k0d9Xf&DYirQ0ZLN&VDLhnopbP27BFL~OvXX^#^Tc*eap*XbTRq<14TVe`KmB>9eWl?83*jjJ|ZZP{Nm)6bOO9GY??x*{Z5 z?7=$x6l9*bk*TtI5M#L2pq?%Vr+#F?_*j`hct^fW_YhPv_=9ypow}rO%l~o0aiM$( zRPnNoaz)<2h%C8kkSUkv6pWuxb`|xewu0HeD9b!z=5&-T4;%}Oh>|~ za-%m=g)yH#soT)j>Am&aV)~u_YdUZ*DND-k)M9nxQcUh(yi8>A^F*Y^(PIge5Xsqb zNzfh~^1xN)UHOy_;ko)qr28L%m#!!wupkSX8Bx-KF_uALtAl}B01E{E3Gn}YKinNT z74}Bv%w;7(#gvZvxw^U?Q}ul?rFT~t`2A(F7w4Cndnq|>DLKF*FYl~-e@7;M3)9z* zmE*rN+Db@of}}4>6+e%je3TPZTT<+zHdA)QGv_1vVc60A? zJaxq#?X5^EPEYWEIC>R#a@CvqddlO^6EBSx4U7=R8FGuM0aJ>U!Ou#yxvQO7}AA zPLvx;A-MPLp6*REq)X1P=LJ7l;wBt(h# zm@f{nL^z~JTHnO3V14p%jqbAH|1c}1Gd)qM)2$}LR6Ud1`=Ce?Zux#noHEkNsYcS0 zNS@HXFwGgny#4MZw>^M_)wN}*0=~@AY{6$D>1HCy{ZBK@X7K3|Zn5S2t9cw<`l%Y| zT#l1mjvIvqC{~u1?x)C=jo&kbZPNvou#(oxgGshb)u?1_8w(7{3*7tF@MTl4qEc@r zQr-VpLM0KdSdB0Bd@JSfDOOp4k2`KkI9`;pgza;?I>J2yj!=gU5@^(`s@iF;+R-*6 z8rw)?pLODkaQg%8Tw`Qe;se=vUNp;>3vvHr+7@(!8iXZH7>}CcTw?~@L^ev}=r4jB zaEz<6M<`!lYwx#GE#F|Q6)9>U7CH}dYoLdM6Lz~^^<}nQci-z$S7(Pxb?JIw#7;{T z%hfVj@4A@?uC6kH8j2QgvW7aW&-F_Cg?STA{&~#%tnfuD)o|kX zzj_+<4JDp`)SMW(LmbvLTR3cTR%ZksxL17zkJh``X#ng+= z@y^(J%41{VPM8AMC{o%skeB(!YaJeGBBlAp$JAV-^_6#(1{eD2Ia}SuXYJR&UMvu< zZs6><>&6cnXONvol6<(gD!zuNxP{v>jKF9?T54MtM|=R$hdGq*>$fLed#@#_5NdA#s-hE;xY%JWvTO7 zYUPzlVH5j&Z@CoS2oHA=T#P*lF+?nPC$;#q#@3eRO_r3s0e>K+2@=J?21SBc?tovQ znH5>HC4`87h|%=US+RS?;xMJte6t!1ur|CPJq)>3EaP=TSIp%sLxZ(-@XU1D=0jbB z8Mz5kw3gDB=W+tl7AS1T3?&F*Av1(*3L`{FCaw?#8W8nA)DTDzXz?i3h0)xZ#T-$NklE0nJ$0rRH zXKXD3>T&V0`cLi(zG`97(A-U7{JrUKVr0LA#-M#hw1Sf%5JIDuI)`KYUUsZEw||qx zlK9&Vp-5vtyIbYH zV|*i738EC{hsg-WI=gzx40I#=+W?EF$ozN4&G0`n%qc7Stp6WeGP=sv4}cj ze2JOK*y#?8VhvVvq~U+Xal*$yzq&#S{yGsQEF_^M%wirQWRF>gW)!7XWD0%flGlA$ z!xM2JR&^FjoT1aoQ|`QK&JhnCVZTu6yyPt%^CJcRyXCs6NZ~ev@#E$~7fITRzR_uc z+ZnI_Vx}dN^GrWU;HmNLecMrQG;<=z0a)|*;;nbuI%a#}emAGg`HzK2R+cfa6H~R> z8Sk2CJK}|x8$wHH$QaQXIE8AjU1k-|a7F5rMxCJsN%5zX0|qibBMD?hE*7+QogCU2tD zk{V8Ab~njHaaNIwq^PdjAQ**(xa7#h{skls5mzPFA^}XD!USs&i8*oHb)pzl|6HzADexxNTjN!td#{hqI|2;q0KW@5KmKkAiiX)oF*%6ig`9% zwMJNCMUqn9HE89Oc+yPSj}zUW)F>pL$@hAqPEZJ2SuC?UmCBI;T`*H~Yf?iL>Nuxp z{b@EWe@q1|kmc7OblJW6+{3b)+;q?vTwdG5P5+>sreH(1J-Si1#v2{?Z zcNwk@-g=Avl@`CU*aS<8_Eo)XmM~ic|0Xn_8KeZjF1z2O6qutl#;N|RS=-{RV@Dj= zW@XV4T;Bn!5b|vbJ#r7fUE%Fa9&av22cc=~EQJ&dNfiBQnKa0+W~pd4dEO}&>;?@r zd;KTN7H8`!g|8C6W+FV$cJW+xs?2nXtQfjG*$?}Iv)$_F0$J6ZZ1-jB&5g6f8iFA|M zQqNfqw}ylS1KWdRnM{fJ)~0YijsnpqG`1xWomRW`&K4aLPAr;!9yoPTiM&`$CiF2$__w_-2BOk5@+6AM6GixEtq)> zF5mM=+2;oWrv*Wi*A&aj%;jmj3&tWcaBIf2W-K$YF8f4+#Tsk-9W1x;N&Z=iHP+@k zc98WXDDteK5+yHgm;YKR<34aE^~=B3hE-5yBV!oAs$D5^tu?x?BpcI5|IHA0)^AqEb!UPY&fly+P7XPP2<<<5F6H*LyxE>UX|Zz)9%}*LM0# zM!?u+1~{{=&t0i`HZMwCQ)>qgvQ$4J)aHaF>4n|s_GN@t!4jx4JvJWkg5+(n>*E@h#b|ry0#J?6AaID3ueXDL(b{j>TfV!*!dr`S1DI z3K{A+@>joPC~|eNo3{`w0yE2+BdcCB#j-&0t;oh1r=BDWjobA!*Z`RRg^k^oP#c_! zT_ST;iQK;RZ??~^M212|)vIj+&i{PN@_!_eXk;ytVu;9sz2!$*f18?(%cvjs=bYtn z9o0Yz!WH%|{G{zBJFVx8jsxF8OJQLz1A-Z3{^fV(^=)0?C?kCQXm#)}>_K$Z*6HR?(LfLRq}(UM}wpAsfV#7 zi>l{i^PmRPG)JFG2hIx8y9Zun#>EM+$K1O4=YGE`wp@JgmZxpS5JdQ|ve z1Ow@uStIGQ?vPQ9NIL>W5B)Xs&-G!Z?=uXf!<$qL@d)K9>J_BLBV;ctW22$(Dh2Ew zjgGvaG1tQb2v+s$3@Q(^1KWt%I!dM0!R089g*^ukdmKZjRNW4Xun}wd0UdO2 zI&m3&5_Y=pxd+(Sm zuV}g#UWn)Ss0&^hp#$uufWYFvekNE~t8wE&?QRpzesiZ%rlbUu}=$F78Ie9IIw z+>NtllG)>j+}2nT{F>C7Te}dcGqm)w0ujC&Won0wt`i+p7aKF0$kBD6S@T7 za0}C-*+Y(JbKrh9?6g-TpkH?2eq3ua`cwS9N+8b%=HzY19l4k$5p#!5&CQ;EDS{)$ zi%w0r-f)_P&G3y_ic%4R(6FzAp?ivfLSn1i#g!ylffR%9P>|}2PBX&;)9x(mz_FJi zJmE^QF_+L~Q4?!@W^g&ejKa8{N{$-=BKZMSG7|`IxRqrjCjv)29aMrrV$A%TFn!}h z=u)MaYGGvr->CTp$nEWkD3LJ)rmOux!py3hFi;b~{DKHBnI_*pyU6bdcA4EO@fnI3 zDioSuCt|1AA%TW6A^Z~l?`Ek?UB?%GB~ldalK-h`Kv1tCFBd0^DgI zJQDNsW*mcx*4l72l%y%zG8)i(x3;S}{A& z!uL`kilY9Fx@RRh(UkXkf~BxdMwpQ1v6lc(_0&>mVkc_;1Skw>;PK}OgK`5pU{M27HK7RZ3*3rNzOm=Na;C4I$&??` z&N*pfIiY_>qnXAFlSl|@@GLU2#3FmaG zPXa9TI_#SETKpCjE#^+NDb5uF?Zbv7)y7;F{s7@F#?#;}K75kv z!pzqio~*K6m?)c!>P(`PJ?MtW(x=>~%-#y7JUlY@e`yefZJf@kag zqz2}0fIcC*m2YXH_2Ze_C;c@h>3z)LWy03eo8qYzd}9LD(a>Vz zFu$u7gN2XZphr(!RK1Lh(Y9M25!s9Uu`WJ?Dydw8x;yR4^(qj8rNcWkekB5pz!MkG zHQJBpgWWMxvMZ=&2peI1KuET)ej^0NM&1_%%rGcO&v4;eS@|>VnqE0um96SFwAdO- zg4~ZruENp62lKj&%hNCeySqjWf8NpBCTjL^@JY+L@a@FSK5gfVqCPA0`#{n{w`M`z zO&M%_ex=*hIp)`Kq+BDO1~R*VMx$hEa?B?rxAR;VYepux$I`$OWvTue;t(Z#>kV3A-%_jbm7KqYP#B6I(xAB%t0nA_F$gd zS@2}7#j=MKC~1H1W>g!u__P$a?U1|=ca9OvLA_A?bE;*Y=r_VKhS1#Cw=|FS@6cyw2MgxuVlxrTZv)P&nF?8Qt^#0mAQuwZ@=-eBrP+T1+t0=1g=3(hD=1KXd;j{zmNdK;Xi$P1k8^o$b* zAEsK}LEUO_u&&_=;mO6);L9b;zeVjy#cbKCW(F(S8qGb91sCrG{zzR1&t34|%8qsf zDfz3OtDd;vv_3e8XRH58jHnD_sqVn*uHsz|bj?WPQ5{YMMnes!FMXaQ!dR420qmGM z{rx4xl}i^n^%Rx4__-%3_dCsku{qt}jz97`_k0A#?N+9$^QeSh|FFJ6r8$Ibq<;pb z9JKc~yQng94qcTnwy8$MTG;ZlF6$fkX!#kJ52tL*$modMA~T=)S=bTYlU7E4U9?`# zCg|@UMmLX(JsjNRqV!`bKCP!Oju05~*rN|h8%D<|{_dD&;Kdyz&8X;iqRPMzx??<^ zXcL>7fWUtTW6kKd{lXEHcYM67yP_4U9J)F*P)-typY6KBe{1U5fysz2H43s9psw*M z>W!ALJ7DJXlar*>`=h$;CTk&JjfM7(Bc`4D+!MD(A3(iB3xCBdQ6;Xgnvvx}%D0Gr zJ33j**$l=N$V00V)75%Ds;?c$9_^l9GBvjovi&ARWzXcUBvyk%;?sXud^$&^rsHay zYRR0bVA0&sul8A|LRs{?$LBm`^uf_r(MW<*Nx3fiuOKT})dfIgdwa_bU|sBYef=5q1g82LszS?U)7(8%PSdDB`5w^4H%U4 zLh;jk%zahXSi$65==c+sDrvFqhEiOa9Qolg0mDUg+L*w%cS)Dyhw&aF2{R`A@Z2iw zXP`=1jqP$yDZ8T5jDP|UJQ%`~E87$NO=gpqb)%DE8$WVnV!9t1wX;cSTKmbtGr+oR zU^ZxiYy|+UpE*EzuUc&IHyO3%O;uUh`p~n;43@(1olTy;IqM8xXz@Y2Sm(QKEv6<2 zEpb>~`onPKaF|2RK}2aF8=*Yld<2wFvlge_8UBH}^_P|F{9?#c<)6anb=#dG&!~G76fr!JZvk z=H;;)3RY~WVIsb>-&A6vzdpF-(z&b>Rq$hH=LFl}Ez>J*rM`Rw_fuH;m3E$%X@cg4 z*Sn`nsO52zmCK4;JC3YP@-Gte68#=T_Yr)rsAu7$HT<_iP%a z%2bIE|1%ZNTX`TLx?_wT0KvLQd4_t45Y(2o4j>-b5EP>%^=gSHVLst)lv4L1;I`w`)Gb{uRoEU}Rt-|k(oYP1`Gu|02H8Xh+#PJ2EaNc`wlKHq0!_nQ;*@>&^2kwGX)NAQ7jImO#i5c4**iX9E#D#^PmRl!){2r*W!T1=;$qIScVIzL6nY zhRQAvBDz!yNe$~z2%g5sRh1x~6sNk?X@AhhsLm@uX>!r*xD__>2v_n2sLerDW>1~v z4K+e9B&~M=A(e{lWt4OPZDeSe7|(z=s5u&3tR=@ys|jFOTTu~8r9u#DN&a4rW-`G$ zYmUU{l}qpW?#+{*iD0(H?qSJ{Qf7BrL)2#`?`JJ;fA5pRT^*_+6lX0cFK>5CM4T7d zKAaZcX||2KHRnB-XSy2HpO@8>nv3pJ6$OZ>hvIB0HxbHJDiwPC#@u*~uGYo2jOx;Q7LjyBR0%o^rL36;jLO00oS{)1t{o$@AR>9|D&8a( zLoR&7O78M%KSxev2R~>nTcXcCZj}>dk3#@AH>xZ`O8Mg5s|f#>=+&`2i4%%%5f1*H zw+#O`CH{kEh#;SRS@Lj&BujHUeu^RNez>xC{^-bi=@0Z%NdQWP0sgoWYfH5b26ltx zUQx<&OyLm~9{q!<>aww)pH`Zd>d3%63-w&`yqbkE-dWB}Y0mB38-7d@@k(>EV=kda zlgwBcEE@K%d$Utw=3>Il(Cy}p=UHD{WzJ78NZ_Ocg7b76LGyBeNBRuF%O^THSWMR6 z?sY4Sgy3k{D^LHd%x;Y>C)l%#HgRUw--eCUusB1XBlOwI)MCo2GDe-+{#rmd^eT5x zK7%Y~*7TB80f+MGnsE*$m#JMkf5g>{49o?r@vp{lB8QQ^nm*+VprXtlRZgH#n$KX- zy-kaDP!G|OhE|xA>_j2&rxuE}M9?Jdz`~LRa#tHw& zn9!w2(P(=T8q|<{mux!Vj^^e4gT0KjTdsaR0a+%|bhVI<)27B;tR2)1S9hUl^H*;$ zO?coPJpP`Q(S<}^^jyL3rS+UHpa`CWqI}gk$+n94K?`1UK6Fz7t;st;*tJF{DZr8O?Xm=&zh5kS5?0z!G6Q6}g^}GtEWWPQVmY{CH1ksjM~vBoIf~9{V%E z->)LK>Y->~Y0=2F%`|_4Qiv&+ZYG5ID-Xcz1Q!4^nq)$MQBOM6gsTsxb0XUsE6W}Q zmeSGXVx|nC^XYZ-%%c5DjrYd^$cS>K8eDOb11wmEFUqd!o^Oeadv(Bg zj9y`;4-N=301|YCW86I?W_}gK;YB>aMwm{zq0QKHXN`<@nGI9W19rxGCFnQhx!ljZ^|oi zMv|e)xko;OlDdw3U?%oYf&j{xP-6xkw#x15)Vs>am+4b=?^yn0GHy4UsLJOt?=P5> zoF{^)X5iQdMzRBw{9S4uo;wT9lv`=aIrrDMFU;N7c_{2XqbiB5v>W;eSl11-Pu3+F z$UkB=Q7fg#Uip@5Mz8J06x2s_bhfxGGN<#13})WKGtE%f89iLY&*@H=btZK?VCsuc zYmZaldc_*EOmOgLl2@P~Lieu)N}lW-Km)&S0<>|q|84#$r+InrTVv@&bq;Kzj+WQv z6Cm<+^wBa<8MV77y!f?ztF2)#8!f|OxU-WzOv`<)(PA!Ff0&)~xB-i*Kx{C7T? zWZcH!!Mm*Ke0_WB`r9pLpT+my&keKvkMj6whC(MOiFIgy3-p8{W9KM9KqbD*V&?r< z73v19ev|aVrU8XPk23J=>MQRnB7d+`guzaqkB~HFaE=V>v|(8!Np} zNmAq-xrQFbDlzutxP2^B>hwaB>~{XC^PKJ94uMxZAp-J}=vO=-`L*uvQ~+8%X*K$`Xx%2K zET*5<+y)^Bd(NX9;pP>^ff*^fn@HuYf7HuUmuq56t$}Jt|JvZ{x!9GXj8wqJNEf#1 z>0yrm^#_;gYR_gYg2>na%J?1YiU!yiH}4VxWUvkHngb>dl<}J09`Q68-PEj7r`pe6 z0E5i*)@Vm+0j@y=hdddrDYj35_>DW2N}rSh_Zi-|hx3b75{01PlZXFYv=&V%i$1A1 zUxv3t%7czDMm96|6HNEi*2jzS)|CjqO{u%I`SoQojCFIDmTTS+A@nj$_6Q^Gc}^ug z$!u>Nk|KPu?rj5Tdgai&aF3>{)m}ke=;|E(l9)rO1wwzyWg=M%%XlQXZEnUe-m=vp zGUi4RjC+b--&7^buMC)c+bqJ4D`1g>fILW2Y+%#iGlcPdcS%X~QLjBIAQx+Hg#lOknOJMPv@(w_UnfWp116+aA|yl8->BTg85I#k*=u0nla=^ z5gIoNDt;Lg2m-?03JDgx!S{z~XgzgIu2vYnj4G3of1Hmo_EaGjxep*t`X$@exgE|9 z4|OE^CF9xpi6gIzemTGD?+=dbnTd9eh$#3-z>V5q=3P|Jd7H@SB+x9JM5}!yLEcMi z+*Z=`zHj1yPbvOGZ74DDMRZ~skI)9cynb}@pYZ;lMmGE%Q~XVJKoH<#|16c$2*~Aq z=D&no4pq1Ue}{5~X$<2#hYx3jfQtciXZ}O;1lmjGXAV?xPuu_{OaNf32(~Zu1>Qj6 zKcTgpUfumkI|F#-?~DMgBPk!oA1xF)&}BZaAIZRI0Z+}{3QA$TCt^irzun!zb09e$ z5V&mL25(jEMi};k?m;!U#L_4BM0z9H8#R4QSWfDfYB!}Fe;Xa>T5+{mAz}&Mm}1~2M&TD%?@%J* z`x?e*qe(}+!>!8OnHsq?z<74%3BEp%N|{h9z)BgqgpcdC3E@IkFy3aA% z^M35}e%i=H5`9u-YWK97sPR3v2UWW3-LjmAiCsY2$hy}>bN@T-*{Lxfu>9UnJR95q zt2y7(kBKsz@>EgB#nGxgCIVfA#^dLb=BzjRJ_*E7Ouahj4@1{sE@X*PY~Kvk&GF*) zFFB98aD<+rpEqw0W~%4^kRHKRqf!+?!pqg2+A>a={TSa0I2rkI6n>#e>Q6GHPx28O z-%o7Y1{-s#R;t(hoXT#^c?&FjZLh%NG$<_T^#6_gxAzr7r7Xq_KXDWqN~tp31D{=# z^#{MUX43Q7`^0YP-N+*+RpPadJ@QV8+K6TI6Vx^p$>xV#L77A^>ky59|Mn z_zAV#qJ6T(LiIwc=I2RvYp0AW!doQNg$uSpT>doR83Q*a%8=}%db#*L^{Vtt?sACk#vaY@8Kw_A) z*a;wu=6rizFE~`*VN-U%e}0HXGrqQfU-vx#7l#Qk;KHvX`O>fnp8Jsxymr#tlwG*U zkkg&pG7#m?)2uMm7*t3vfXiP2m$z@OoNds4%*-sKOgiWu%?56NHBzwZ7Iy-!^)(Y- zb4xpcAxDI*U4%~hxJftNS&>p6dx8t>4R>?(R))ET!VL>Js+#j<;3^aJsxLsf0&hlA1q|#R#9@tx2>v{&&n#8M%(cuWZqmrULlGlcAAigI#u-55SB=jiQdQ#Jx$WZV z_eZPcW1(X@5{Q<27WYUOq$c-j&hO_&-8ayw6i}$0&aZ#ylF&y^fdREFp<90u3&>7~ zShZ1^mk`C(P-6E1?erq(*3X4H&M@uM!wn)lYLoYmL##sT>rUqzqrJ;9&VITYQ-!$O z7N6(~Q@>`{{Iy#ekU+zWu&xIvpR5@--i73}63z>sh0X!p z>Knq$NWZF(`8Jz@T;HY9BJ`z%Th&b*qaA@8%7}ZaA@;Hte`@|;nCIk9wYklM?)--4 z&{G)w38Il30bZ9rUF1l7a^LC*yGWX6?G$J>`!<)!Wbb^sJ{5L`KQbrjU`VA-gfgVr z;b9`TMh7bjlAVq1TL&5X;8H8YhFFb3Gq6ZuW>YBs|H%5vu&BDIQMx+>1O!2H0LdW+ zhZLld20=Q85@tw2B$Y<#?(T*GgYJ}0kyZwz1p&EdeBbvz-~H}Co^{q)YwuNi#pVoU z$&!lEEGd0%Zxqng!8WlXV^dV&1Pcgr0WJFVM4&;MNSOOLJYL;-dE^}s{3CQ<0&@_e z@UU}ZJO^J3GWqT=jOv%5BYvTW&0eZyTGYi}%Mu=z037H^1@H7GQ%hrlIPH_w5AUUh z2*#>GJ;dIrrtbLFZQ*EjL`E11Bm6ALx+Da`fWc^)rJ({{e>|bv`(+EEyo+t1H4 z{yis3Jz%Wdy~wR3@Xm>4;~i~}EHVd7cFWDAx0d2(m-orlz=l6#-ciwg{hPkY4!fJu zA9S42=Wbbk(aO0NeW%I;G#zjz>P2LStuf~|EWfAOo+$in9bxc8*lVOQF8coFV{g%E z8ey)jePA-a;50h@<97lkMSGsI#Dz&D6UP{D7BvA;I2%s^eZ+^Dji~4k01Q2It+&-c zH#X2bj)$=69ntwgvRD?nv4P1iF(wQVp@fpJ7Zy&ML&xhy4u`B`q($!~ zXB!XM18pSe@aiR>n;nDCR$bSJ7$6=l5CKsEVzkrH;n2|milb$U{-3~HBk&9C-h}Wyx zq)aqX)w$kekd>D_kcQ}Y)LF7RpLJEMt9FCId1w>RNrDnr_XEMc=j;Qzk2D+kp?|z5 zc<%^3Lu#rASZ6h1RrdpLul<2}!ZCqTenvH{nC4Y;g8`str!7nZvHR7)JQv_J0dP77 z22KF?k|kIw=JId%=1$FWTv^i69?ps+^hz;OC=9n=np|t(h4<7Kb=Z^m zX3HKR@!cUI5WGY^8~G>Jn+&5B9bC38R29nF^=>keSp8WOe2VkrwF{@ zR05QM3u8366?*pPwYk|m!Q!HPYNq_SWOLB2v+f3nLyQ(qj}O^;kQ_g zGh>H5ao0HG(dv@iz+7&C9=e6;016`dEn}#W0U9@8+HtR4NMHzi!T>@F%+p2&9Q`A;F%!NeOD5)dpMDoFsH72}9~npt z(aBo)hfOLkz-Ee+4Z8J1M83=$%FaZQX!B~5uX&HXR?ac>^6WhUDK*)*NoYG1NI|R- zAxShfMf-QPO-Xr*+exHwdLd%DRg04wn*DD(J#p(su1BJ{{bIBxt7KO~~Gt|}FBCV+Cqs0+FP zxq1*zij(=1@{Ue;C=a`y49p~Hz(Mx?fX6wZ7dH4lHq#_99O;piX%NA$Sm5&Of=+%t z`i-R@1*{(3H_|!}eU<;2y3R8B;YwiGzc4SJVq?0Hbm>5xl9{i_&R}#an4obp(~Klo zMYvreY9GZ$C53ZGqL>uSCryOzEt2&#@SiH9dfna`cY1_BC=j#bu(M%NC*Dnkd^fM zS^T%MILj{*)VxTu^}_3T7}WofBYAY`Z-_o09GmAN4`F6p3Do#0d{E>j67e^c;6Np8 zv`&s;X!QYM_TR?v0@pk+WW>yNwnrr>|5K2UFG*eD+^J%i-o*3~zMu7J=I<2p>;u1L z4vNI_7(OH}6(tTcmXHyHQ@mSyt;P}m6=1h_1dQDoVQ z*WCzj!Hxt%$D=H$nk0H_7FpI<1(?{0(j-g8aSiA`0WfH`bL`@g6lucbR}pS%m@l?? z&)X0u*h0qSUH>|*Rzw$4Az$1#&vkIW6i?5L%U7v?o=eN3j8L7beQZiL`C7^?Bu)c``G8R=SE_XD{HJC-d#iWm+8xF@pB7-_vNL zH`SfLzck5-dcx>?_8J23GFlp5p?W$2aMafLl8G1! zZ?e0l;Ifu|;cf%77FEJeNOyvCkQCa=MDR}# zi?ypa8QOP|AwtrF)Zr{9H^0^8xTC1?rviau1Sr7SwO9jyu2_A@=-~rz^f~e`tg%30 zZmhj?q?3jf80I2s{dQu3%6`3{pxvQGL^{HP9_W;Xcpf~VASUZOeBc{7FUZ!bcl~@r zr7_jcj6~}gXI&Y%IkmDD_vl4CvEgP@WWnv!0qj$xb>u#;COtyN+%kZci|R;Y-ifyV z7Pyr~38RwX=b-6t+dJHGsk)nK#~Sd!a!@x9(wmT~HPsZjUX1dg5~S*5_7zxri7w=` z0T*c6qvnswQ?_z0mX84x;HcCF{@?EUbm`wjszj z1xSCtMA0Kb_JuzhBL3CL{;s3Pd9*aCQ}b&c&K!*YJ4jC0v6k`4capf3bI7Nmh z8x3KPmp&0;WKzd}1ly0k_D`Wx9xt0%i)6Bw%&!t_&VpvxE^i2)UlKLg?|gcEkw*wA zk>7YI%H&C(0km=btzOerhr=u$%`uWtIi3IVu`LX`;dZTVd0ZbuC_?J5AESlZQcR!8 zpIjMX#O2R*15$IAvBr(Q50cMge{PH`7=hW{pCky(QcV36n^cVY{%S;RP56!IV7uKE;V4yWr-8>5c?H{A^i+ z(I=c*YeEj5OtPf+xWYO1a)4X2;6-09!2scRgVb&$zbLo0oP*;(iLVV@9U4`6lRXSE ziRa_U>b2wH=?a6A^W3-psC+Sk9{r~r(NScc-AY21Ocy+#OOA7353G2-p2u?~bNkwG zuCz^wqr!O@E0b^H8db?#e|2qo$HmZTkoRdkON%QBSHTtDh!EL0C6AZXz8U?M4SsO< z-a(yrS}9H5w|8PPC1T>w<(~KopAM2?;8Sw?buIX02&fHZ%}OJf0%@E#yPa0T@j6IH z4F<8x_QXa~f@h`Oodc;?of@Lu@|C0A`8NtsCLrTO#98`I3|8EiY<3;Xj?^_v9Z+|{ zhzUY!NO$5XO5(gZ5P+G0(k?tq5G~YhiChKQDA~UtcSwnt)?LP#&~syw$a-vxb(QW$ z11m30Cs(hmfQT9+C?s6Q;cl_uoF=U}-OW^ww+X*G2my&)ZAj+aG%}w;QixAh*!& z#g|LA16)tT9*Aa{ACoIF?SJ@=A8V=;EupCtspeocz8tXD3jDDiUVhWzJ%5V5W4+o7 zIeCCt0!3^_(w_9E_^zH}eXC`BW4gc<@PtCG(mm~6<2V!2s`olAca`Akf*#I6IsDwp z%?g2V9-*OTY~E~qEhwVAW_KuP+(3!^V#se-cjw(^Q&no@qx;;hp*YLYT%=Q03-!6w z8A}@-C9|31G3psVj*HN9NaPLBRmv&Kq~e5!Ja)oYlZP2p;@ktd{oEinq`}visMd(T=o*F zKasixkU##*O2u`jcY83aqePkkYK!lRM?Pf*!WSV^oh1nk5%M4U6cjQk$lnYX#Ll#_ z>h;q6kF^e8Z^_6U9)(J!rL5 zOfxSo>(tJ_?&#hZJO-gu!1aFq>_RKV z9Q8mFmvtE+2ntIbAPWDgPn}e+e;fZg=Gs?Y+tdqlnS_$F*WjVh=0)NTAWSD4Uq&|( z)ak=?%Rd}A=@pa$82A;}yD3~nOXqUupq z&#eSIR5%SbUH-D#0NleUzU6Y2b$kgAin|2dZCuJtPWp%rEn+$x&W6?sA1FQ;- zIzQAI9TG2w{k{cI+`sAtbon1axO&ZPw4~Xc;tcer?A~qYW@F`8^>?O|Sy)WeDgrve zlTdLqSkujpj)G%ghrHncxXd0^Sc?P&sR&nP-kwSOa-J;oKYX%8FSK>x`KT%YHTr~G z)9Ju`-$SZyoPY~>6gpOW$p8%~!?ePc_uXct0c~5U%z9yz1RT8Y6fHfA6jK5 z^8hTDm4+XDF;~+5gt2oo9VX$bp5}M8-7in5k>oN^KL8G+i8DX5^O4yCZf>!J1Xs z?m6ZBU~^YVXm6zP&t)xkM}??MMBl6OWDUc%HjS7UjMs@01kD=~zm4-%q6CjzK8zl6 zGwdVrZAOzBzwWi&cZVcPwD5Kn8pXF>+Vg2FH@`8oe3Z@1CC2!chD|-vme{qLp)g`; z_K??JPn1?!0l*cjoJD}^CL7lQ@vELRqxmjFz^diy#rht#?)=ilwa^QWXyp36p-f~w z={Avv_f1uL+uEyKug1Epe2jy9{w?} z%y8Vf0=xxbQXal~gf(di^NOOcTC}`89EY+r#$!jH%6P=R_cs?=y3U zknhSplAXI17h`GihUi#Jl8NhKYb}ai79i;==W&<1H*>GWG0o~W=HoE?L*HslXJ|Jh z?K3>$s4#xNFSI*^$&?WD237}vk^t9quIV z&%9{qFB%~bau*I%?TNnguFS6Sei#+T&v4+a(U*c`k)V=zBz9GuvX3@Ao{^c=S@9;z z8IlE7pH}pX#VO2IhE!|UU4|9~R{tgL5e5+N?1VCxiIol|o#celzCSVVJ$b?({q}XU z$jHw1k#&piyqHeAX3RinRe}!Hv=RA}dqbFxL76#}Mr0UGA6!{R-Gj$3jzY1UGBxbw zV_fdMLvLA@A3xCK_e@@v)887?KT%dCmawbD}g~=y87mva;WDZ~Pl01eiKRA~{4B28D(_O+< zQEX|tnzf-Pa>bU08)w+XWO6FK+nPLUyo@0gOc>Zyma2Rq6|G?(Gpp-K+lZ$53M!an zvFoRfyKFV%6W`^+%jdv8wgz&r(;cE0It$@JJ^Y-OTf$ z6$~5hp01`+0@`^e*KXRn7Rz03-1vc^;Cr0C@z)bkqh?y#y5Khol7SB%0D+>n{GQ@tXkzb z5O~E%v^$S!ycPL!!?K*gqfKSj(^!_%p!HrsF%!o4f_bUI5+l3&?`aHo9Gd<5K;AWnxu1+?O;Q>- z;FZOg>*kGd4|4YNvkJu3SZk zv0x(fn%BIUuBYqVNXby8$AH*R5^T#jPveX?GG1(mue{z@%VWaVUCejFrUIbjfpL3; zfe2K}0%5*_EZ9L-AMB9B!mIlK4 z-_-$|Rvxb98GgvhF@O2BF~rgK;SO59hWvxe=_Wqp2|>E?%9SRI!<{_Ol+6-^Anf^~ zO@~TEQEJl$oOaF$J#=`IxRB7g?43%QTrEcSk_T2GYLR9j1xuw@$Y;WMwdjy~@R65# zc#!8AXnUM~cm?CPP08z%aDC3?1l?wX5f&jkD~wn5Q=ch@2Y9M0MhAI-k7sloB+6+X zbz=uY7tpHoD%spjba|(%jT-I=HliQa?uc}506uCc=^CpENX!Ko8Jqp z$|IproC1~TBKtJh$cH(F%>X!jy5U|!;CY^Tl6e%nY!0B{MQ2+}Nr){qiUtzPi}AY$ z2xjpsJfnE!FNR%6U&3vBxiBBw^a6UPefzpE&aD0xnnT+ST?e6tB3FcR?7h}h{JFV0 zekPw7RHoh~#4c;Z#NBjd)AX-!+#5*HbN%!K91ar9x8P3Vr1O)u0zMBvWIMLwC~ofU z)JVO$MXBZ_TsywuE`Oj&$eXZyFBkF%WCu5&BZVm?F#0{B<=PVdg@8{rwY*~0Terz& zew$r57$cb(nE+qNrsfjYSoiAGuG>&|H3jLp>j)rZxx_s?%w+XY67Pw*IVnr-HDy`p zWiET*j*acOq-?umSif9hS!%5`+YZ)rm10Dazf(mGpd>0*QU@X=%-Z=90AA{@EZnq- zYQo4ZI#y4V|7@S_{u|SSZjC2?1-Tzwmj3Mi+H8JAJKoIvyD`T*wPC*%{Kt>TZ>d>k z+u83YPU3Dz*2-lU#d%<5$@V3Xw@pN*?1u0j{7?-s-44-o{So3Yeaj|rr@9hMg z#NYQn*W*UglnM`z2Jv2Dl*>BFsPM=MT(Gj2H|B6`3A1>>5iB%Ml5P~sagb{vBp>4k zZK1oH+feRY-YXR~LU<=WgFZ*Xu>Zv1=qoo1{aPUsmQy%pO@r>W>KA$=0W_*aE3Y88 zRYzhoo#dGPfwX3e8G0!PA;FdPA~vcC#L$6_#=olrKvnf34yp-^b6bj;$-~>CS<4=p z2s#g1h~{ryjJa?L{*+NiDJ0CRMZBI+O=({ufw;PFqj7m?25vG0b>Nv7(QYy6oRO-+ z9W_}{+${2!;&$9I3(2RBWy5=HcqGkD6noT=V;P`L^R+Rpt6FZ-({VZNqxT(EdK!(^ zjpy0X5qMU(FQIRYVB?(gx#83gZ+~XNnGPn7lqgGX&8=8k#$n_L zt0)>|J#_L?GKPItE$86eo!-7TFUZr#VtJ9cMTg<+b+2TGirm8yK}?gHly#(=Zc-}? zfC9iAF9VXiUf3j-UD5ky{(!FbB7RXWy6!=rTgF1ZK>cZ-PeZynf6wOpD$Cm6O-Llu zidbs;?X=8ZGL*;X2imTBlg@GIit=CAq3+=tuw4?*T3+URwtu7?pUy$?!t2co*r;03 zW>$3ktZOzFk>K!HI7kC8wJ2N{&X8`K$Zmk$tPEfZRskr5h7dax$69oXy(pGG>hOTM&a*`*yYVt83Jh-iFrKZ3K=65iXU%k^0 zHnmvFbdPn+9ORJ9deM%oAjKhWUP-BVj1;UJq~}XRn;pTh04twYrYPPTfXXr_F!*CJ zt2{>FD%!G6<~O2Oh)?$@apkehAK$m5;NQ_QhrejNG{|5i!+*$y_`Ft=K0VK*Wn{&5 z`g7$O2fn|d@}YYfW$3?9deiZq+)MMsN#T>s_KDmZOJhdRVl zbao7wSJpcTnx0k+xJaAh>EY26IZUeshH%?Uv2VO%>4gcEIsyuH5=hBNTNds+yRYc2 z0f7|Ix$|~f3Ep`qK8}wYZEG)>%t;shyhjB&BDvF?v0-#>pe}N!&lm>3|B4ofX=x;9 zO&JjTuM$D+hu(NLFnH(g$_?rmNmLlJJ(_)lb;L_P4D?ebMu=X%1Hbd+n+x zCWvC@I&qV=l-%f&&P;xWOsCY0kFBJg66(e%2yKRZOYUnNAk@ATG_=;HO(ERTPI@J) zfB3YZA#=*7R>4K;Qi|w%|p<6-ggy34ywbPwL<a~%rPLtE(cyH|8nLT6e7x1%j?_zIMH=1CZQv&X_)G1t& zFPUr05_rdfB>KabO?h74^}=PxK4IlX6xO6wzp-_oo*v+xNu=BFlFejIP!dBfI2fPb z-M;Pru3UxC5l$Hp;=k%>w6L}iN#2i9dZ%U&wjG}c;w@YD?}G=LXbXr`oD1U*+>A|2 zZ9YiKsOfGx`7X6gsO8S!zI1^NM_vs!KLhOW`2xNVu2Tw9e~BLt{uv>L_x$L_^%EIa z2MB^&)A;`3z}5kmlX&Z53HunHDN-qOKW>#YoN`BBI!;1CytW)kQa_Nl7yb=9D&SEY z#+MVwAa+r?ga{0v^NZr|YxlMJy)qfpPUX;97!WC@lG?3vO{~nV`Xfwbo5F#7$vJjv zP-91eJjfB9gPqDzmTcAEaHEr)x3W$1?wPYD$-5!;nK^Qrivk%N9&lY2X`J%jSP|qT z{&;KLe?$wOn#?nmFx$fm$g|y9hHV$J5;A_TO?L2q_-c#DBn~tLlCY40>>yijP1iP- zEs8Z-$e5$JowxmRNz-r#Xlw?4ICQ@QIA3DopUPCMV2@3erPWbtQ5l zJ>xrWV)wWp^<+@MU8^}eK>Zly7h9oy>M@+^ogfu-z_3ZI^ty!X01t4G7|$g)psql~ zU|;}JE5n0WOuYzr=M1+GN7>5IOmuYo;8u=;1fDiJHWaKSDFO$alJ?-{@i+!E_6Mr1 z;EJcRYHWa09>xZ~*8Ag0a0vJtGee-^SZmypt6LNKRFU<|rcbbYvprKqWj=po!Xkn5 z>C%HI^d`G&^?SU`HvTDd5>?x$qR$bR>BmsGUKFkFQZYd?t~US8acW8BT=>#(Olk7% zl1X!d6Q+vOi(U_H(KVhwH@mj-k3J;N#8KC;??^YA;<08p%}sEpnZ92k%~wq%hCUet zMJ21%L(JQeec0MGR#!FmlsF+!8wjS~vND{F>VGVMJ zmGfbkOZsFctNBk119|3zp#_O@887jKA=$l>Eh-@6M6fvT(yWR^qsFQR`KKzX?Z-Rp zBomtd;y1K+>P77Rz_%^p>(E07conamt?h*@i*lyKqnTVye2sZ}?;U+qZtaI^;)YCF%ct(VO9wQG z5<|O)AnQa+%rw()A&J%X7-3r!fPbIJaf$zule3iMHnYVfiUJCUG;%3mqhv(H^u$HA zd_Z{iSysGzY%QT=dF1jxQNyPI)V4)nv)V>$5hWf;xZHgBacCg=eIlY^x$nHh+D7O! z`Jdcd+o%JdCk)^+-1&dg>5#5q_;(bCwh@`CB}|Dg*@-@^SH|&@&mNNVu@X+wrkcux zK{U)jSMS1;^3*7EIkO8+LPR`$kXxaM6dYFJ;cN4P@N*!V{(%n_Il*Nu>rMs}TLA4i zPHi_^YwMVBm|Ew`Jtq`9yNV{gosami-hTZ=@6zLLQI=ZBs#{t24zbm>Z zJON&j1i?aR0KwTpQ@z*esa6e2}JLB+F@7x%~8C5Ub;T2$0>(3}s=e3nRN` z0K6bW9CE;T0oTV!P#5@`;;Rjy)foSi@dD)Fml>P*TiJYph<_4RV9A?sqEop`ZsIjl zK<&VZ9;Eq~7K<%rCZP1fOyyQ@Y?fQ;a^W zSx0ip|2{=zS_XuY8_&{u#T>2($>0@*CoS|NdWM83Ko-$7S@jr{ePdj)qCu{~%R}@4 z{5}ObzF}C?xUaY4;6JWxT^x;ZXEm@Ok)i-u4v;9O&fVO;l55;cWTf+ z{ffAdl{Il7Qyg4Bp0{dQaHpIpxWcM`usMVOQ;}O=*d^PF1xS1Z$=knHZeg$HZI6Wq zR0YMj+SNnLep{wV3U2y9S#36O#BKOk9B)Y99e%>3<)$CosTScv=T)R#t;*I?FN|II z;A6^KIa5dl5HpjW{sDkPNAT*Q`>nj_jJ~5I(>(|3nB^3|SNW-co zjrCyNmmX58zi~Fx@^c$LR5N}*C4R5ABh$1z#E6g@7TV<#l)CGYY}9VCmAIbol=8*c zu3_*y-`m`VdH3^+u6s+cGgZ@u{P^4YK=WDAh`{T6m}hft^*-DL zj>Im5<$~lAU+m^!mz0<69R_4X&r}>+R8QcGLqZN9!QI!uqC3iv;vY7)nK5L zg5)WKSh;6GeX=~f!NEF83ZKfw9YFIU zwJL)EGJZ+@ZePc_xh7$Gr@`|m2-u8428A%~J^9QUF#DT%n|gZU-D@q&x%d&^x7m%q zam4ZskIih)x95yJ>Zu#ciqBmB{8kEGHYa)y<;`+qg;DZ^=+(p-mjL+yS3 zWc$0+W@&jlWzo=ze=x-qLWE1)Z~2zXC#H7#iS1M-H$|j(cY8Q`@X^n`)ETB9wneY@3@Osnu&V>(815djYTTJGacnkOAz%Gm_xSosXH!n}eoMpPAUjbziPm+~jZVmiT5 z_xC!uoax_fzR$d90Tr(<3_tcOJ|KLOHpl$wC0^NUsnPGvsQ~U$16}RQ*cWRR9fjE{ zj`Y7{rdgMmB`b>n3X_=n7WrwLZ{-kKY&?dO4Lk_TV< z27sMJuA@ENmQQ{xyE5lls9KFY?DWDt2uYl+uXcBBym8ES{qYi50)BfVqQNdbsiqCWmXJEJ)KUg~ z2X;Y{398W|LdJWXRrX2IWYy{uB!SHd!W}B*mZ~8oCrss1a)(``iVtfPf~=EzkLl`b>NeK)-j3{+K=UBU{*{u z8kcw~Hz}mDv>Tn`ap+13dsJcLv1XmW-KtP=<0$2qF^x!zzPrvbQ^{$I&&cW67ePey ze((qKRBofQFkN3*N>=!(h^C(Qx_U7H3;9@>ohw*3V^h9tq!04nhg zK>N*VJ8qM%#v+OWq;R>m){8URq3AfimI9q06!880^kU6ocrBD7tgjM7$uS)^n|{hz zMBet2jrv7ZCf9@)TkQM5*lE#*7>LSJZZyMAh@?&ND%V$L z2c56(c)sU&3vW)b$F+(lNxZb+`YiidNJB5vf&NdVT>H2ASdm}hyY}}Zl*C+P|C@h z%Sf^W70B;QyQyiALQ!VA=gWwzsF&WvRPI!x zlo26=A&+ecwLtcbGv`7{LY;R-3%qlJEOm@x#p$Q}{Jb@rU|$l+vp=NgGJMPkcBx0l z8096=QODpUc_#x4$Qj80j70c@M(GY)9Zg^cXBcNPhL29rOVc?9kuvX{cNt#&Ddg*+ zG`(|`)TEmux;_^9$kWbDk10_QOCd=Ht%Sx6(buLJU>D08?FB>lJOg&GfFK8iWWcVW z8jEvfga$;-#zFJb0b)58Gq22mD2ZLN@)Y>I98KoCbl2SwX~D7`;B^W>2%JVd>vp(a zx}UoY_tQGv{LNFQ+!n<>XK+AU%as^t*=Qot$nQ3AI*o@!guG%7Td8FH%}PG)QeX}H z@<(!Kz0pJm`XoXeq@4xmtzrkBC-ios5mFx37t|jy&MF{^Ue~a{AlD`!fV}thFJ?&* zM)y)3ilGu3L^J`QPC{3eMLG?%Q^Hl}LP|o5=!HWmn|8Xc&Hm|T=WS(|HoiW-p_)Ma zSS3U2)2j8-JXaGD5xp9uQ61AJllmGY9^dN;rgS;17?d1gXIJ_hQHQW!LxkJ4Ss?)n z!IY|)9U+kVG`K^Mbw1;rWTX>5CiRiepR9-HG1t@x$;=F5Y!a5PZ>6Fl1+qx`O&c!B zaW+DwhNkZ<%9P!qn>p6DQ7E|e-R2Cyb`qdc3z~+_C{qtJk4E5g{sZ$m5EURZw=L?( z^z4_zAXgU^Q8-JF%7S23PyO&UD$QwF0L%@aGu_zgyBM8;BmrcXhbF7x0Ij;ozq}6R zf)-$B>ieX*YP^Dz>eR!qT2D5_w8b884*oOB{E1M~h7-`?5pf4%S#-Wlvyb+I?DM5Z zt=Oym@|AKowb(5f=&;J-uCv)`77RC=&DUT};-lgkq@6m4H=3W}Ly3!Nz{&k&bIFe- zDJL#!iNg(8Bi}vW*8H+2d;JOsThY zak_*sl+T&cm*-xJ@=R-EKIXvo{1=nJo9-VL403@KgOK`rTG?%cC{I#br zwDWF-j23_4kOa|XciB01uR*ZZi9fY~@S2+izM~+Pe$|=F_AvMT}Z=yKeYsejyZ=;|QkDM%-oQ61(B@ zemGM0yg9{G2YGatFtfw?I}jP>ar|?z;j$PDG>hcqo0|RAHMU1=me1Omi^xC1{;fiUfln`C?B8=LWZ=gQ_75)v06-BeFs#I^U{L^8{yj=IM8HXtp0ERAeT zgfo2XX;8{zJaX`=7Ic~?Ty~fhE06G(T1eh~ss8GYm*Q1O^~c1^ z^1hV)w;&b2;ui(#5i5i1PYK8Mp$T4Gz=!(J zG}^479m4U`nV;vwcx(fCO2r|FE^6vknUe(p?apAjA<|=+3Zo6Z<=nZV``?fSc{;8W zF2QVJK|c29JrO!J$bm=r;sp2tH25A0c;jqXo{tPO-rVWFwIM%Q!~52)j+AR5r1h+R z9VJ_ZToi4jZ{V7#oR!d;k6W62nXzi%>r~9(@C7_yoVRDKzmMs=u7EVU0u7IMH>Us08 zgV~9Hum!b$vD;`*e3STTuCK05ZbkY1x6zOv*E1bWtM^wgR!d&7c3RQbasPQpWH%|C z`nWVbKm6dL>0vuoEd9^p3JSFyTwH6MnXoK!N6Kad5qnz#|2;NsFu65VucV>28U63I zJMV#8T}}HxzWMpNJdVY8oavd6^R)aPVydXuz_SKf*p?f7Y)pJVnXH^x*ASH-#ujm4 zQ-BZHvzU;lwwbfp-BY&ZS*1Kh;J3Cy@Hxu|{e?;egl&5tns6uYYJ&X^I~2tR6XiVX zUco4$pRjc4tX&141atiuh#_zA(tz7)o7oJ9SSn^KHM99~L7?2-+`1aklzMcl65L9P zVrPA@t3k=0VwwU)u>yL}gI?GUZjS>41$(0Ug5odS61;KQ7dune@LB|(P$aFHMRanI zP?wU%cg0_@sS)EzX>FOvEHS-#Urb>Wnt=hLfq5%A>&>8uALP-K;fltqrP@lwj~P}5 z$r$gYmj3CWCr+Krw@@;W{gIBU`}P;Du7iP}$leB5T}&YPs6+7#zt0FGCK*#y9#WE- z4_UD9#-^TOp|=haH8GLQQ7kS5V6cB-m|`Y))8VIc)AUDECSGARRB4*`%3pr!qQ{>N zZ=`UHwmBi#V&Ui;s8yP@C90i_3hqhH<(}WwY>qpWU6Gg4D=po_a%m)Kq->^8)A4wbxKzMS7e7C|v^YT7 zONu1<{o7d%E$e=4+DAFPHvBfSkrVVhe!H6IQimOd)eFbFADq3ZLZ?3kRro*ej113g z4)(-*x?a@Xs}tY>wDJ8lJb2=sB`DZk)OXhc@p9~thE(kiXNE2balHgiC5&q zd)MjS>g6`hkKK)|IQ(Nzi&x>JOx#PqGU$pAq%hPWO&=BKuremYzq}5^_%1+W?ZMT~ zte88ijuLYa81X!e9oSGWu?CQdl-jhe!nzJC5<-ugpBg!}V|_jLk&nDyi$Zx(0D*g9 zmg6g!$eQ^9`|RHc#;YOhE84aBhT{M)I_6^v9rxDns6%EgQ?jmTJRM z40@^gVOEg`Hp95&)B8yFVEAZQ5wH5B{C5TK>(=)K>Y|3pFT36(7Cqk@(+S$E&kX9+ zao^q|$^?hChUBq)cg}llQ|4v22w*f*bE$n?Q%We(S)Y958Vt)gQp^nyo!{oTm7q&5 z4_7AUxVN(5b!ST5{#6O7@R7NmN%;}5Yuuv!=8qXPHXg6n@Z>2=_mGWx1*ApkxETSG zLXTIo4>UQgGw}xv3X*kO=}-*2kzSR$=-VwEX@dR?>D-P^9Uj zU*U=kNmF^ldtYi_5Pg;`1d^%vvN6U=g93u0c-)-490HOMNC147d6#Q9n@FnJOKD=J zArAB6^CG0h+DxbQiypLH$HwE&hliW1v`&l{@)dtxt+;ERuD0A~yqFy$`aO~4dh=@H z{qC8_)GhW6c=xNuh6}tXC9w9@3n>ZxksHE`IB$y!L$mKeKfmoK3C`zieVUzM|B}Pe zjQLrBR0}6SLmBr6SFq&w50CxDD4v!ZkNi2O9%RS-Y5Eac;ZenSV>Pn~4Sw25iLIYv zx$%RN8a3-j3NOll!$*YcEFHmRhW~>gUKhmbiyM%pgbU=xDj&C(Rpx@Ef)&S!!tJhw zV+i~mM|=ImD&EJ&zZ%y??t!~iqdYS<}B@E|{~UfjvQ#hCT| zY>*<6OQ~l@)!N;WCG(BX2-5A65JXD^3-W2umv8i9JlB<7Nwi|H{ggNT3^MQnK&bV! z;tpdc%bpeqhwjaU&M5E^ySNwbol>y`Y2bl3V^w4Z5Wk2XumT#i1C_fLYP%&E^lH>& z6*KIs-~f5Dj>03rG+I?aTbwJvyJ$rZ!X`4gO7_+`J5Arv*1l9yqXnvgy6IeG?R2LG zTY6d1dJD{e$f!-r928{+`QHzQG=@Z})kxD%Ha+y0AAne0us>_Cqs8VLKj%!jKv9=; zvU&P|^)iC^8az4#Br*DMM^wIEy{e|x?)#MJ948|NW*Abf>&kIA|3XQ%bh`@=f0;lz z{N{_r%7tWB3f`&Df{P&h>4fQgE*o7H%@dFQ@$casg|I}h(YvTwIf1TkcpP*qM+hk( z?7m^lx=T~vs68G=N(QHdF?#%fj|8+EMUTe+>On_kizbUzA1G1 zOU2-^Kt0w~ieLBvvrGvBFQ6LP*coiv2#{D@!=QRRT5I;T`q0d;T6mZmRLHqm4NozC zUgn&0?U=U3KrgK3gLp}lDLlOAJnvhl6#q2c_}naKC)89E$3sz+@#P=|IGSOJ4 zd6HS?^f;c}?B*v>SyZ9w@%&pAKMCRq;gEhGd>K{Re3DJSxw^n;Gq(=TB9c5Vj& zf4ABw!B_N8*kly_SxKymQ2FX2z%O!g^gGRMn$$*BW*!Ldadl~52Yt1d#AXg?7xRBy zY!0#DjuuDB1^hfkQ7$wpvG74m2x#1`}VBr39ti4g6qOM|-DRyHcuKMaLfgGpg?FH9QPm0CqN_lT(4Ub0pT^9D zELpO@)-SiQ(+C;01u}&G-0}Oblm;jb*sh}P9f&)L@4G}nvO%n?K1s`JsICwH-#^{d zmi?^4Qm+(uKr(3PmJBCicDMJnPmnpmjmxAGKy8TzUjozOF+88Nj=`~$mSgfi&2WI` zN5v)YIzaSR6y<3u19x}eVFG&3f-sqQv{lJdX)>B0lLv)nO842Y`%xQqC(N?=iDViZ zz%MZgI6Ks{AM1Y!tbYtgUba&h1T_fg0wDUJjkPg=Fo**`gebs*OYT;uxGaqAn&US4 zeX^Cd;UI7o8t_IwW(5Kg@|2l!7BHs%1Y z1$x1PP?s3M{jr&_`D8#L5ZI{6eXfW+2Ao#ATvX@ZO4AO>LY945qp+|uVYBR+=e{JX z#(VO_mFcYCecyG_zR!2mKW_LN`4s17!{#%7ATZ=Fx9}NJzRFj=8j(j{B#S|?RIe~Q zPf%kas3;kz&ztZ^S3==hQ9oyV6B|{4QC(}pj)Ykf3E^<;I15`mQDgwU4S1@6+!yCS z^|{GFw=x2JNFcgmnVVIyfkQ)_@AYUn8GYkMu$MIZF@`}4fWFE1TGW}0ejPMj7 zw-Iuy;+D+G5?LLSbV7iBYX5O?lY=?{mE3DXy@98S zQ-DU~gBQu981U?|Et_Io!40IYwBY>bo$mum1czYM_`q9o$alK(wOn6N{b6X^KH38~ zwF#2{?8sN>3vJpYpbQZp8K_e5IIz_!klV?R)6Jse9@XO;D}#D`>N;W>IiK$V6)2vl z#RADgHzElCh9Q%@smjbs4~!$#yL~i7Qh!E+3{&4TcfXjVR50JTtg5vyZHzE~@GzXuk!EzHuKy#y$%z+6uf2u1=90Jad% zrr=+N@E#u`={zm3T>A;a$fQ_q2C|!OU~1#D+6XU#e~5Me&m~vR26EWOTt|?*m6f*@ z=ecBwIfxX$O+;ddi1Ningge;}pJi>`&{0W8e-_#juJ8Ji=Av00Y?Jo>(@|Efp+ zbY!N~#lX1^_=I)Hn~jeR`t8oqs$vQ^T0yksM$0b>HU#s7~Ek~oH1rdsn$krC^f-_c*? zv}Gjr;m(7u6UL?^ThEcR`9Pj`sL;g;d7af0O-SK?ifzSQ1`rVL)*sLhQk#NK`K+|X zEk&`9bd05sDB+F4sIywGHyOW9`or4k7vE;waNN$9^7V{Zx;J+#61PIg98u*ecm|NA z4De~gwzXnC64IB5hx(D-i{n3ENbWnuNYAsIoB-z>9JLWezI>HN=OB>b6JSm;AWDt%n{|A=4S3AcuuBX_n1Nm6_LIp$(Z2H9`Ks1wGSP({Q4!$}B}$aYM2N%Qd^q zm+PHpVs4+2CyQFKfcwUSB-`TzSBARVY@;LZhNsF^nBB!+@}L%j`oY3AJC)8+nxdw( zs~jDQ-pn-{V5OPWU9<6vZUo}H@&VkPk~uEDnf>O}aX(nk%N&d*3ZciJ)Y+%_KhX^K z#xVjz{P-co#iElKG&ea?FHk}^(46>bYpdE9d^isvdR_2wh<=SYKqpb_S7gzW7lUO} zCn}s$@kDzmE~Y%XEM=wx9&|R3wBRF-GT4L*MDH(gOmt6$FH&QD7!LX_TM@yt!DAs1 zp4rkS%@HD%>Fo*IoY)`oh1uGnPZD?|V;Y4+I~AN5N=SFQp7~^Vt9(#2u~*rMZEK_u zN%!&std>mjwNCDjn5fW~0@N&{t%CItYp1vryyla-JZ6yBaAOP}zKXd8P3CxMv+O?X zGff9QLa=49*cq?^0~v!W>nYT#4)&NwNppbH0wDh)6jjtI&@fSfxh`a3VYd87l?4}8 zbbe_;i5q(M=nN<1_(bndW685S9Pj?);|>d6t1#Pf4F<7h1K5&*=fby~pa12bN!E&Z ztQ=I+sMQYQCdx2Rpzp|IYLly8GeehIsHvh_YpBL8M29)jOjFMQct-SiDS1|$!(hOo z-F)@GW&v~FGc}YFE_*Dhln0g#S;mcz8hsEWI&>uyNQfVTdQX1|`3+&yY2;hsx^41o z(%pysFS9r~3p96kJQO*O(cL1yAmYht%RwYQ)!ejzr79aZwIVi1`+n7BYMU&i74Ka& z^y|!xCSV{AS$>G7j2i#LbQEU4wR!}4&<70I^mD`{db53y#)a9HO*eNi(3b=TAHgf! z{|Qz$!S19Jj_`I&!qS#eA6dvAv%2X0H;~{Pc0g9TJ%Qer!vRTFkK_ApzFISEX9X8f1X2Yk z@BXuYKtqY%(!wWI1v5ZOfsEh>qDEAm_?+Nf7`PVvF{)-*fX)6tVg^Eo^Z5Vu-xXC= zH7-2|5G^hwnymmMs>Zz$l|7c}hoQXF8k5xfDkG?60&J82t?8fHRrtd=2Ki{khB2q6OgoeVg6}8(FfDc{*V=QR$C^7| z=Ki*Gl=3>Tk?^V@I40lDduu11Ruy-0j~=PBMyc8)Oq+7AJ;`oC#be_;LBdY(PGHw9Tlz-UV3vyZt=!{$AIc*Uk^Ag z94A9B+qdjZxb{Xd-LM4$r@B;WVgQtol5(L5JrKDc>;C{z_y`Kra|F$#|1Jpz6P7+= z?XKe8=Y<)N6whD01YxhegMf(0QRqiSSn1msV^2UCRA8-n{|WBE)xJs<#6mr76)ZMk za*qqi^Oq`?V!nD+;m__-nc1*()LC2mM|B@`(fO;`vwQGgzCBjhld8f7zIb3kY-ptVY0H}|GOiQ5l(fR z2U@&y&#q8Lmx+OV26FVtNAL zj8{8!Z-Hbi2@AnQ%$4`A{Z-gK1lRSyOfeaG=C}a#r6;z9u8~@X9CJRZT8c&fu@UXj zRsSnue;78Cc=!$<3Um$VKG{FIZ50L$#a6yYhKl zoaSc6oxrp6yVAz%!-W6yxr2BAO9|(tkYYz0-f@MUqo;1xpOx8-x0@H@&exNJjknio z1Mi#%bfHC}>Vbi`>5ZeR6hGlNydAPq8Uu$JX47G~wZ1dhc%|P&R`kO}2;@1pSbzPd z?{eHFS8&ctM)GoI*S5UsXf>(or&0BGkP#B&?ypx{^V>i!jL4)=)CkdrpU2q!`zNle zG8xIq+Vg^ZZ(BIzb>X@rfFtq~om=#!FeBL4wGHin{KuvQuq%xFPQ(=zO8Lrm16J7e zr76VoZm=v}TA>AY&Y}9xv}dL?41Ef-Rv?S62*Q(aFGzC6WMY4Z#2ERUD$t>8bJI7% zruQJBGuPn9tjTB$~wu{RyiWX+QSt3$n@yXg4i%nEbG zg#?h6e{TLg%oTWC_)75AYyk1|%r!zo(^)kV=|luT+;pQmBVC(g(_@HY{IC^F&mxwB$RgBj`?lZ_6F>S z&@wE?LV`~jflSpDIY0M)K9sWtpMw#qK@SoQ`bAqQdVJ4lV|x|K2SSCHLS-CGF1VwK znkecum*Ubx*T-&t$ayGsxh^10b775+30lp~dxUtT~kVbJ&?H>Md8 z1EnOOO;7ZxWbOB;`~+V9pBP$YZQ8_G!ieeds`E3y z)8pqtkW$}AnW~6A=IE{e64UFI=tmV%baFsee`-sJi!Z_Mlf4^p8d2;@^iZMl!IUYw zY$ZeX$#U9^&E2!tQD>0(tS`v3$(1zMbi+-|&}1JxA+viT`x>whF#xT?3|z!bdF{yJ zytaW)BypI%v{k1s=FaFo8ZKatx}AC@9$eFOt+M~($@ZvRA@`nyMZ{E6!$cjQh@5bG zjn@6x3O6@~tA%nD5rb_yy!?OjHGE?iqJ;)|`LEhoak!fSCh+SxN)VUP_73GvLtbD$=0m(3*#Ad2jU+`jC>9NgN0 z^EP9G_RA9A29bPy1W>=l=5Q$pWA|l$M)xTMSK1QjoXn!Br9QDp(f&|F zR|~7jgweOt53`Ixd2gDbZEnShonG|Ghh-<7gs22p^H1_((g$fe2au++r-0cok7$Vh z5+Rsw{-Hq992eauBgk`AFkB)W_wh|o3&4)2Ry%!2r1#R0t*}$Az(7ubyf8##rKoVh z=`J9xP0d&d$f@iOTAWE<3|si>5ddrrRVIBz zF58aVuK7ieYxXJIm-Rk&FfBzq<0l@Q&L|V0nMwu0Zt4~0r(-Dw1F#j1`0s^TIlU*y zBdVbO2L?H(;ae|z%Q8{JzgZKT!sjMfDZej?3Ct1RYr~v!@V^}+HOTcb&dW2*Surti z2EB72yn7|Ocmjs~e?{tB!aUF_j}tDvW?&)j0vJHV0objoSa0I}{Xbc~<^GX#V!kC= zQKcLMJdGLDyVdaRRmPMmEr@#NKLx5IaBnloN5GydQhih^PS^T9qg$AQ4l1FY8L;^x zS9F;p&tChrq*lICHzWoa8p>r1^nF#9VCS(ZQU#Y$%;4%Gmaqi-T7yK7OaY+z1E~Tnfx;|1vYT&T zfmz-X{+MOx)+DTJAAaFTZZAQ1+`xwTe#j)B8h{l(p20j07Ahqn+L$;D1{VH55MNtD zTN@S~L;vR%NH6`^mmmJYsny43sGgm+0f25__J2+NCumumnS%UXc^y3V(mcb;nm32@ z`K0t?irSqM^(6(#E3WAj<&&#|1JQ7y9kMC;4;$;4QUrg{0GpP7F2 z39=mP`92imKOO{BZ!*&T#0yjiVQf&$yKy?}N}M`HX%>1PDzlpBqzm}zs3|jCTc>wOC^i5yhDQY={*yqDrY6Tx->y{NOfyR-2p5(8Kj9r9_p0#$IOy=!fC3Bz(+9nH>l=iI zs0Io4m6wJLMDo}}Q9H4~U*@_3%HGOs3&_r>1S^SUhD3IBhoX%6uriQKQWC$%=r7Ow zfL0rGqQokvgB{Uxl}Va5d0EPeZ*wbhmexz=bTO@e68(rWLV))E^cxvfzW-xK3YO9e zhFccvWWZ9*B@9TJ_N#r7sG~@5=Mx54Ix{F$yP&R`9FH%k&KWMm$@G)Pt8P|2 zO}9VlHP|O9Jw7nt!^f0}3eSk0T}u~KCG_+A)~qjvApfAqHmkx%KU###UT9;Ac}0@B zMe^;;p(kDqVNSM2se#@J@hnCLXJo(pKGp~8;5_&c_gZ{C2yrM>s_t|C{KN|wdB#~1&KI2A@49&VUVSs8T@Rd^_&Kf3m_o)RXTBUGh*$Vh0%M+GaiL$-H`hY;lg2_K z!GqeI+u|)lV%raz8F9SqC6Ycb7ij$1p;hW15hqW9ki z>~(1UC!1A&(LfI?10gG^c<GfdWP`ToSaJ{G;MbC|6+FQ$&H` zg@JeMrzo(%0Z3T{>>s*EbbPc0&FpD1v+MIv89o&9Xg|B0ZRI{$?HNv<2s`^W1}h0a zG`d-acHn~bIAWWR6x5ZMNnP;iHh7?tGjwAH;sGBj5uSx?#XgAQe7(BM1w|G(-Ip>| zm+9sjn}0H*Y&r5_&ytC5Z)s?7Cyw*%Ik6wu=`X*Hc?EiCdZVT19CecwatvV!omhN` z1LTNjo}qvmvBdTiQ$W5_Tjq9f^gaY}1HBMj5=tzpSY5L27CS(KAgof$C1Vo*FbP%- z%nr9&_A)%Bg`b)Yj#HXmtk{EcrC*!*LPi@ zsRlWtUw3|(e&!BdBjMT^=emE!c>M&M&;a_XPZk1X6v zA0(DX6=fvS&5g?dm|lh+VObK8hcWa`#qc&@Nr*;-h~3U%rbqRsgv4_?;jv(6x9F~1 zaJ8((D_}kEfC}H+oaKH7BE4`@C;o9qZum1G!A_2@Jq8_Nsrd>08yzKjmh^lgeQuF? zMnqAS>vKC8x(xq?IRY6UdN#+ps0LGi)3_ARFWm4!Hy6K9k2n#DX_3%=NXC$$@H%^{ z^r9Jnl9K>-O2nbBVT2~+2Jv_iGJ+^geeya{G_rLtBBs^n6{>ur{QCm-P}pzh z=a%Z`(l8;DEn`;;db~<(|ZHW%ab9V_Id8UM)5`FbVV~VH2IFvw}82@nW z^^_-t%Jv7LX)z8#Jxl2y3=uXajPh?@Sr{y$-RNyZY|sbO(P9XWx{O66(GNqPnQibl zRbopNV7-#MA&4621;Q=O&1Nu26`VujK7$}vlQx1S*-9@-*c@u=jv`31vwDK-{Qf5^ zbxC4HveqOZAgJjkz(O>EMAY!6y2J#&#JITfwC%O+H;Q|YvBkSX=xuB^Rd66y;pE0V zfq*A$Y;g<)jbV8ppR4a&NRWe($0TYvJqD~-EcMyJVH@h+<1c)HhNhbjXAcP|oRc3Z zo}M`69di+v1G38Yr(vK6lB{EGCRz6=oEe z0z!&ET24QPy_~!0sX8{5r#XDZi+)@O=x1LtZy2%oPtf&4Tj&7B|LSht19dY>A^cbC zQ1Y1gQKLE8Hz$TCSEysCm)}}eE|li|*XHibH{LP=?O#UDlJ0n~QFI$SM}@PPy}^{d zf7=MevX+xv51+m$v&8GX-JMmh*Vy{6-R79RM3DuKhu&jCtvehGGx0Z@2x}OX4Wsm6 zkx4>iA)nF0MRV3C@t?$nokH_VFMF-U{U^==X(wt8{!8~2w080Sc()+z2il7>cmoN8 zfq}ih|M$ZYyMhp;j3(*7$8xb>)Fz2Qi698|8Z=iLb{ZXRf}QVw@%6TG!Q4Ts95CUo z%!84&LxyL}^uo~xx#w-aZfS!LdNw?*{=#LE(a2J3uOt_$94%_6OGs`)t2{$+8z2+n zVt!w(w;mjv&&E)`#$kaJhfb%zE*=cmS%Ql|NCWS^0c!({Wcbd--OkPefTaisy9D+=wrk?S;BpP?!EO>Z&z9- zIaGh#QAD+s9upklAXzQ|OlC?haQzzz99}Ls-tDybJ0>L8@@?E9xkVvvRq5ghDhH$c z1Dp8k`i{f8kM9LCuZM6;ByJ0dm}<6b`)2F~Y2xVPFRGEM2UE7H20;oe#r?FaAFl13 z3F}f1eos-Yk0O#3RB*c(UIDH8g-K4NS88b-Ko|tAr>To? zIB1y2W1v#{O`GIN)V@)RU63D=wgNi_*= zu7^sMaWewntV(38MfaF@^0YruzTT?y54IUi&Bs*E+2kg5WDnxzW^$A^W#+8#jmCB% zxY7^O&>EZD`sBS*2(qglSHP;jsDj;+7jXOHDCFzW5WR}OVJ-SqKWyqINZ12=ozN9hnc{?n5X!krsFwd;$$X8UJljG#S) zfrsCW5Vf^I#lJ^fY!fg`lHN!v=}NV_E_S#b{oj8j#Oc&R z7l>q?dVo-%5t_*1+^ge@14Aq-9FvTVewV~Kl9iD3IFy3=f)CiY_D{QesKRZYZ?91Y z{@<^bESR(3aS5l)3fa_CR!J38%$kYcANM-_-|=s&J3(6m)gA6TX1MRiD-#B0(;88%-r6S67zW{Eg2BveazqZ?{9C-w-LA7zw* z{wh_{)SU2eKH zM5ocn6i>>PJ0^ zt1)Bs=%{(j&4P)Iu$rZ_EB{qQwoH>vQ#W|9TNC-*+y9++!w$2%U;<0Wbq4v zLBX) z&Ee!ou&K_9AHAs$@J$Ol8H_AWX6f1Cm8Z)Xv$%w>bJGZCGQ zt?1YT-#+sLvrYJrH`MKaR>@MIT$6)*8kA0~epD_OT@>-_FZ5h*WLB_hrB2wlFo}k) zYQcPZ!Cx^CO6L?sXTgx4N}yj03g3GZlUPtEZ*(4JJeAb>3yw!#z7b({-LiiGh1kvf z&fh)(d*Zzsxly#Sl&XnR?Z*4!_#WIohE|=Z2C-+#?X=d&)l?bt;J>kasx#7rJZ2~E zvNHKszgtLJTC{0X6Q`F5U;z) zk0`CHhY^~KP1^B}{&#*oTuF^EW*Xr{(Wp8zrEK#LJ92hguCGI!YvwmrSj0D8jcZo- zsi4sxpURC_9lH9}xKMP|>BPBpo^tn_^6VFx#xzbs15(=IBc@HcA~J#{Y}g<1K6xLU zzSbP_Xf^zKjwyGS2cK=!4}7qPayZeeR++%*jwQG~bU7;-ox{JdK4{Zax?rcGmjbh8 zJoj!XXg>cg@an2v+8$WK_^F>(TWg6Tx>`P%n%onAyr91A;!O?QL(RYgA@$pB11(p1 zUhb5&Kb*k{g)<{}P2n$Etso|&n6R2d0ghg)1)Z)AR^5JDs5sz_gEYpiTeD(`#_bKN zKZRnyNmEqJos!(x-uu3y2jaxEX8XO_@znHDBt+}Nrkqdw)GftcoroduT)St}W*C(J z`KpgMl`?Km`p;sh=cyds-=`*Jm)`L~o1;@gt?^SF>kq90EX#}WvL8FaBrbQqdb}37 zlCZ8kD%tjyHu!ewu362ke%vIgj_>2HVkR>Zx-|U}J!0}VXF05bFOkzT+GsxQ=+Lkk z!Mdwe!&IQJJghq!FD9-UPSwIvpEdrucYea#R4?O>Ryxjhb^fPQqB3nXzZmyo-zcl$ zMkRCE=M+wMuB3UueuZqSp>HL{FTR!NPm7o>o*c&G{%)IZ<5|4S!>yh zrBQlJ8H|gSj`RKcCz^I!m3{kZZuGW|pYe**G6`it=^~v!*>f!|38%Se;fVPy)VOa&|qK#RA6Ap z|1uHV>wsfz`Ws@&gBUVmyiASA>Kw8H6#jRSngoJhK_PS_2I% z*F>Pxr{k`A3Qr8x1(V92A8#^%wE-R;Z~_?J)= z{XEnYHw_iD%Q(Etyd(UMWA2KdH(>Fj6pA9zmO@yq1+Uclvp~V(#Q8Lq?512=;$q1p zg&e02`YtmY7j5iU@flmrdnd93Oc*ESFzM5zoRgoQ3a^GsJY&h_n|`G*{OjI4VUvjv zjsrXX!u=|;e8|OGh)kP)x$fa>Oc2i@C+-dFI>&+J6tLdwrmlGxOh}pQOGLS*%4wo> zkIb8tSoY~QDE(>oibWnHLq@bkkp@SN-n+l|H1&2{YSL`**b}EvMV11=9D?zvg8IrN zIqt8)6h~6W%a6k9Q@O(dp5^_GM^pQCW5;OGCEMg-oP*QqQ6$I*RlbAqlvb(TQtA7*UgMj33o^-q$8!bMaAj-gn?JMZsB*Yb=`%|`wl6unp(O|SD;LcH?-hYKmYV*;b@tL^xCcL3b{F|$d$Z>K{u)rnKopIz???z)6nCs8K@)<7I zd8l1(>Rf(b-+W{Cx!7!R!MSS5mTik@MPh9=hxEq*t+oiR2GhDATuz&fK(w-Sw;8;? zQ2jfH9xJROZHTIwfUco`I+b5v%9e8|55_Qe>FgJ_@1e5gx}c3v91|7CQqF9XEoEzD z*g?weZ#ynq_Dn0ZoY>DWC(tyJMCsY@@bnmXxn~MAlqZW(N1Dx$60B8u*FH zL3V<+yHljHqQlIdq5cf%AGl5M#+8{pMs~qmBbsz|pMhW=a`})_kCCGD;^0qKMVi9& z$9{CbO&~AV#gFJP4L-h!Nuu|(?} zS>;I9?}$J=a^bB>1Z@Vb}N39#(1AV&Dp4pEyaj@g5B+9ip&if9`>de z*M1&kIpR+9Sl zvE~IqoBSc$Z9TJwbU1<$>3yxsMU!sf6gZ@#R1u^hwrx7LO?cBQ!F(m5>C1fn1B)h9 zQOG^pqNcW^XT=?Y)^~U?%x!UQH9@PUGh1pnhEI-eT~(ksK5>2@7aL22#aSB`e_1`= zdWPh=|BRd}#68w=Za*dnzPHJ=LpRa`zd^&5pc$w-p<97xNd4sK&b&%@x<>mI_VrV% zB+<~u5@Mz_O~Zi=LASb=o3p=X(AT;B)6!I=d7LVmw-cT0GX+7-bRIReDOZ=`)rn%% z$eDTqxf$JFRwBO}@zY2;Fg;uM1tPo`*(D4DKT=guSTzRa!)o&9uipuVS~vXjp!I=^ z;c)ICI}4MOaDbAHMandL&8F8b0V*56u~E$a>dcXm^kp&6_|4vEeoGORD){ce^VRDq>;#vOoT!yNSW%6|C zBbMn#4z)+AgVU!<5UUR?|ydoN%&sNfy0P9iDa@(Xd% ztT`7ceEPC9$~BU`S+p2nRMJ({Y0b?|4?>ELOI~AM+g}p}2S!)d1XjtJ)hXRfSS)|D zvG*|VyYsq_g334E+tRp+Tkp*0nf)JjXKprxtXlR8bH-B^I(@EpQ2l-19F#J~8ub)c zygE<)9(Jo%1fE_O-a$$Rc3dkkoqF~_nR%;TJ7_m)Y`0jaA@jy>j`3?#E9uVm&%f)KSKsOC^ZELd%(F#ojgz+>+vQ3rVFzmB<&*21CFj;myVie~9-1~t zkBtWYrInh`H9|+XUUthzGlCc!jj6q)m93rU<|p=3j7^za7H8%&c3fv>&4LasbNA+t zcNgV8cL&2nXSmztdvzO)KlKXaJ69`~;Y|s}T94+5Td55?|Dpf=HNnOGOC)$^(zoe& z{`#f3)4Ibhb&>e#^cBcRokoKFet(oY25|gdd>{%TJnE{Yb=NUs()XE1%eNv=&?Rn8 zwm%$ddq=vP=9q`3X1xq;uJ2&fmUxGb zLDR_6#x3nd)5)4?s}A--l<=$X@L5EWli=;&1px%5R!Hkqk{9_`Rnto#EGn zhs&2t$n?Odf+cpX zJ#PY4$HmW70e6>0L5{;?`e-L1`4`7xg0T0d+jJ`SopE;XfD2Kvi`qIntrn7-OiG^e zbzMB%uaZkSmzyhnn>YW-w(HnyG_KDIq!FElSmO&^54t_Kk%_GhXnWB2OqvXtp8;>{ z@~^CO_#aoXc3nIi+7gUAH?N8);cDfPp0oE7=Teh;m-{uR>y7W%pH--p=|8xDY}U4R zJ!Z^Tc5=#zTAaLIE7IMQa0zn`qV9u1c`J(JIh;|1zL_Ic>Gw&5sHtyNI;wxo+BL=Z zTEbyAwOxE>xVaf)dpD01T36O@PnPbhy6-FZL_t#gIox_i2Dz)F9Ss7ye8f8H)okk? zNm&9(`A*=%RRg3BAnu^coxh($cYSI6bo)nA_#nQO$yEEz+qx%Z7OxG~jBHhr%IV6; z&Wu_$#1In|7xvz41h7QCbvbB$on36Q7|ZxJ%S@-6Wj~hwr}fA-%3+uPA0$L&WK0I5 z*$-5FNO#M%QD@FiKfviHxfko-=8@z5<;13(FdupQDncSdu%o*z*apQj-4`1<$C{SH zu~kmTA7oscH`mVCRaVa;@xY^k-_u>yes9wBI+fROVJ7gDlg!?>!muaUUF>`G(jr59 zPm7yWq|U}a=wDD6|Fg}5v4vhk&-JSl^lLK#OR#E6>mBfmbvb$1D&80?$wzD{U#iPI z4pQ>QQ98y8m66F?Y_!X$KL_D?o382gZgsJ4x9ng)8~pYs=}GddO%vtdYZ~VfQ_58E zEnjJOGKxPyeV~fysW)G#s@~E(T&zBfB=0NmlV{FwN1KASkY2K*PTS&Gf<)ImXnchc z&U&p(!d5aQuN5YYWgt+@mOqxco31IfXQe)?JF2Rh)ut(mVqPkNjT550NEstwS5Zq5 zR5!PX>|<7T8&EIwvSoT9q`t;T7ULP|jK)z_hOsuSsSd#e3CwQ3Ppxrc3*Hv}zU(wK z32J@1&Urubx=~d3G^f8XrM99i>nsSYK$!m?Z9F;b@8I&_!_>vyFg6a)Qz*mSisFoq zbSvD3_xcJCkvEbDkr%kSl4Df!FTE+gir44$zO@7m5pD{}`~t;31}0E9f(r4y@2)wk zJ16i46BUSSjK4ULmD!y$iLjqzgiPQ zjc{l)sZ5uI!U~}v1?*Jw_3x+qGVK(d;{uRS9&G;b#CddME-kAHd7*oI$MB4;&Bwb| z6I-jCh?^#CHJ#_nUILA`1WP*h0i{(wP2;!MdEcP(oB$ue4 zo)UNdBntQp{hr3Wxun#{e7=y$Pw=!gnJC9>yuU9?CfsdwiBbQKCRT>+HB`*%9S3br(2vz5wkKmB%B-}~m z#zzN1DK_n(mt@mBg&rjn{qgI%JnCtDtOa{c<@uxBi2cY+auaZx+apiJ0FyE^;YF=Q zg6PhDrv6zL3Bn`-9<)ih%}%V>jsZup?bs$plD+f^g$oLM!VC2v>l3Nv(VDF^o8U@yq{ zj`y|(90s+^R@uqedcyKR@TUYucK2!!mWXUsLidWHc@e3}O75@s_f>=Z2Quk`bnY{cK+;2hI zj_KNtZlQ@t<8m22DXrW6)uE;W?J zic8>2Ys;8O$n*I)&L@QKP)nMWM0~wRbPEMOF-)GOYiTnC&FUwd46>!29t<5OxX>zL zwG2PW7~1t`Sw~s!9I8AUYt@V`WPk5@T?mpNurO*}@H0)c9r<1~<9X6*A-({$ z$$h&38$pd@`I`V2y8COIeKx+fG5b7|Gt>A))7o~TS2*MfYM8_NhFc9N5mBC~Cl~_F z;_LE$%SDOdi-$=O2}4= z4;x~qlWDRV{X+GJRAkgp%%&v~sQdT%bP=-2#xcoQsOGjqpO-j4a*luQ7Ij}bnpRy- zqHt+fC?rY+ol8=xOVzICl*N&bIVF=;{pho3zP2<_mVQKB9ev z5B%9)ipG5&3>%BEET6ki3Vh6prXKP!r$#pIm&fB;)9-Ax+G5!7R-(Rm8zqpbJ4 z=NOF_H4#S36e;|TVU&~02~&{Ev%^ded^;OSx3^w<2ms}Pu+AAn062z>5qK0M14X2Pm?dF4b zjj*4PrdK{i^t+d-G22Tc0U1LwyU@);oEsh&?#I}65!t9zLw`cBy`!Lskik^ZZ4Mu~ zRM1wU{<$Hx5kY1>NwN~g7`Zq2Z3u?A!j8M8(u33peG^8(TGvF#N#8H4&aVDXrA)=; zw-V+9tjOmyeqd8B!WJ7j;sB3&O) zshxFyH58&v-2u3;NJ0gKQC8AO{Z+R(!1Pvyk(3LJ6H8RjY+)xQ1eF|W>mJ3Xr*tfW z2W!MoE|1d+AjMK9-TW3U>lx^5RMdGio@95UR- z4xv{tX0n3aR3#X#sK~IqHVK$1=0g6xXvFg(t*1uD&n&SJCU72dW}feKi&$`og?G4H zP)yg21|scB6yv=J9X>aBDcXM<24Ol#L+`%{2cJBg!~VUvq<_Hz_b2??r-?YkM+g1$ zWUj{|m=4q6V&T4nGi&>`zQC8A&)EmW4mo|8LWbr{OxPNJOVU&|1hq;5A(eo}G ziG0Zn#CatMC6Q6uD`1(bsbBsD4Ac zS6s&>#$#Z{BDo=<;@g!9dDZoq@6 zkqHW=W`jsTGFt8NKQK{C6Hy(M4$IT6Gm|oQRG6h<)hNEHX8Vr1nwhb*0$}e;2CrfDlJ#S2wB32nHg*I4;kul|DMhz(| zMLK(d8oeCwb>@3wk)GIlaP{kBDBm}$!jw4>rZ#KgFDqkkGO1i2I2P0qo37K|W-V&z z!EX6(=f4?z<*#{m1VP+JM{-lcVhP%ToB0UG~rH(zq8J>W)yp42ps!N-gU8dDd!BA7;-1Pzt& z=+Uo)wDWSXQV8#FX6-aI$;u!cZOo}olU%HJp_DDcYvd@acI4f4{U}@n&so?<5pN+^ zQ|frrKobO}D$kT)Xx?Fd`Y)gU+GRK|_+siB9QN*U_9fnxNM(IHbYzNHV0*uK2N~qP z@c0C>B}wzSDq&U|9?Qt}(WjX=1yP{urZ5Cn$_!5psmvZ5u~m6}GMx3e^a>UXM}Pp+ zCLuVol(yOrs9&OtQA7G7XSzpCv&gZ1;v{E6y@4G%$&cX_X?%}L@sx-@L>}e{Lv*^5 z$|Wjuhll;eH77%w-nVoe_azAVHz}mGH2ha~d>IH+3M`evmK@IvqJD8>U}W4;JQd;VhPw=0GpV|2&)ZCi8I+++#lVs0{ilG7Mcw}oH$ce0 z#XKz}Ze!Y%uNFm{3s*IU1|H>?QJs1xc8@9?lAe~z74<B17m&7x;&(;`!C?y#p` z|3bNTS;;|O%@iGqL4Bhg|3Kt}`;hbaBA6*m4aY_}Mj}g{AQixgz2Yc_M^PLH5??XZ zgj}$GKlPU}Efkg3qrBn=(m*RxqOG(<4lz24cG3f7dx}R;1tC7*VYP6i zJlj#ai-kqgE}UX0^6E5Qd2LiA5#vjW$`#@*ojYHO$zl zT_IgH=YI|UZ?I9eBC%rF7gkiNC%F5!nJT z{yMP_%87_HeCQCo3D8QKn{sV-tLNMPIb^#l+>^KQ0G+zqVV4~p=U3n0Ld=5>%l8Ix zyHx`VA;i%iJv9{32Vz<--LTGVtgI}S3L|u&Y}d8~XTo#Mq!CX#&kT=kY{gup(~EX; z5mJ|Gw`XADWoI;12o?kSaSKAIbP3W^ zT!sb&iZt8~=Nx7!l!4IAi;-c%oynU63D&yFf~qHc4rxz9Qdx@L>ybJ+uh-B{{SHN_ zu^1^q=3|mzAZAF)jBI)K+z{1%oUONvKKME*u#ZrcGEv4Fz9O=5A+GB`E^kX`MLx8-p^j$0H5)_y+WmX0ioqd1R^uan+OP2UY?Px=5h(-t z{{wh-w?aeTu6y`rtiV%T#rmWX0t9+P4yKT(E1{BPUYYTfPH8%i7&Mm)X!cCEL1C7m z_0q(3vSAErv?lf5UXD9M<3=@Q477$@ycg1PM=Lu-ntVSkPs(@8Eu2HP_G2wu>S5)4 zCuS}4k;PO>a8Uz~&t+l{lu1bB;#y!b^KE3o{OPJw1G_TP&*aVW3+0mTbylKtGnhAL zRevk?*%FC@Fa|&me@=S6;xYxYT|yB&V^dB?$Vf$_lgc7E6rBx7kmGKW>#8e*kKmBl z0Qj49Ibp@-GXUXifB_2MN-UXlz6@VCj-^lmu3}qgm=al90bHdMr3P5pPc=UnY-vVC zMwsnBW`cm=1si0 zoMIne7aa2Pjm4ydQyX6m_){23lD{tyEbUp7ONku#tkT(46k(QV4wU^sD{c%?(fCkH zqtS~E98e^7@NQj}B*1jO!kH~*@J{O;j2s`Sr+K)grQ9%T(zD{QzQd7;HNTnelaY^U z0GoQHhGJxpL)ZEdO74D4gqHM8pFM3}3p3Xur|^3}m*^i3-_15%^map# zffj(B@Mh>iWV=&rslNTi)8-GpJ~fbp^PP2L;TwhVjRlsX;C4MhdtLNYD0jkig=|F_ z`SU<~+Vg|Wc>}l_k!x}gw7+dE#ED8u4nW=7hZcH4Yok{Y_2A|u3`MF-Ad?4JX}^>b zg-=|Cf;cl)kZ{LZKjHTG* ztGPo(U_mf^ZHa%lJKfK0y^Bpd!tW{fHHO&mGeB zhPsYx=>mtRa_dH)keaW^GL3~PL2+E|g%`?dqa6rzxq1hxNaw3*sh7AvWTF?6%(VFyCd0LW zfr*CD(bTA-b~xlV*m=8x8~d#JIP0woR^dMy;I^klR>n6B9H(5T%g)#)ZE=}UMMC73 zB6qfQ1V-!80LJPL|G!&J3z(l2%T_)oxLMx7tw&CBs zrzfp1aFc|_aQ(K2(XwG@+pM8+pCliCA}OS%z21WJ%HbMsv5idYDfisr|f$68(V zOEfeVyEK@wNn|*rBEp`+zrR4CSc^Xh&xJ3Gfu>PIjB64}c`}auwpsLbPRLcD(>L}y zwRdAN=#Kyb2ZrYVVZ;}HT>Rn`j z)X%;9w%2!MC(1Iu(6h78`>Y)*Rq0`k+t^mrxoU_Euh4_*dMU9YlD{DbAP`Lg?dwry zD2YK9NwQbrLOY3rH8d-cGhB^|d^rKt24{!ByhR%>`$8ej@myGv?EIGpyLgjj^Aqh} z;qFRC)78(ME>hWEo0)gvT^V+&rW_7yA8sC;`bUuW+J3M>4nPvifSS#YIgDV){k2#3 z7>E_(Rm{J6_HOl!7#8^VtVv zrEbum6X%Cb<BhJo=eSSk0NIfd}h0;XhB3)uK`3?M<$a-Mx{`d(K`Ddq7;MH}(Gmz>0j6$Cnvi&_d7F7@niV+w41bwpv% z%w6|5_kEMl*oFRvN)~;ES$l(ZetXV;2Rd5p~_7& zh}bOvqW%fHhN3IMPQv)zQq>8W90(=zdC?4wtOh1=V2wq%GhkQ;KB^f^sIIQhQEm?92A3 zylWfRzd|KWx-#B|D4@l*bW&&GNe&`gkJwz{$i#UDe*`#A5?enEUc-ydl42pdvjfoRKl>pe-0Ls3ETi<01-ob!j#FB zP~AcsIj}oPUB){n#HB>c!=p(3mzCHA%N=h?BiEq)2-b$?I^`*YLRPf}dgtyiTai4& zVLjdhidCZ%RQ4kau;=5rD#};E`Qp9;D&p-xya0oWCy@#T53@E6#oitAGFcNXl}7I7 z;7py?oWCO0tR0yo%F&W**;t+eY`~O+$lxXvq$?N@UnwgN??9Z1dqer00&uXv+w?qr zso2Div%y*!yD?U1WxPU78HCFPO_}O#^kN=|w} z0kUFfR&`a=GzE-9uLNE;Axuq}uN|%%$59MV(gPZLM9X>|~A_MiCRDvn}$J3}aC-G_qMvj;4u^1_dt%h(= zglGTNZ9e&P|MVr9mCbKrS~K<<{4UsnphDc)(oWF7p+DTRH3x(SUMDVEC`K8d0!LhV z`Y&-Ks$8xr*J6cAZyb{yluf1V5t;g|_fCbauRMPRUiPFB&j00KN}`AMlaFnrUpB9K zdjd|bk*(x(vCdHem?#*5eB3N|@k*@Nnl09EPB94o0C>6^LC6r2^Hl zYI~%!w-&cy?;x+@FJ-ljA+Bpc?jzKQg#qI$I4H(NC^{A3kYN+0PfkP>tlPdTVu`J? zGPiBelBqg)xs5`Cu|Fd`RNfEA1gX&XBH4|LgJWxZGEyXk=C8S_<+#}|2!vfMKAViX zR2D7?gQ5_NCT|F(FwFJDeFVz@8dg&3Nsse&=Fw8 z-lGor7~t{0FkER~Q@wKGS6jY9ub~xEfDBlld{4K+c`MfEh}$Fc(=`2HsKL%EC9S(2^#_f)XX>$d)V- zL805EBzL&SykpW-RQ_Va>h-QHp~)8V!?oh6i$t0~|avP0eT!Ks-l2`P$;?*fL0NFs$98^nEv(t#Fay7G)4`;#IvxwxQ5Ql=#w=NCyiS zum*#k8roN{XVB0eh@AqH0eiT2pzkY#_-t`%x!k8qp6i+}#(;P8nQLpr5-MC${&>SD zQD2irfEG^6eaN>LdD%##UmAFy0wN?ZmMz|Y|zYB zHd>Y?$N@`uuQR+-EpT!G?3SeFY>&xp^{DRU0>MtC z3t(8Zn+l=mlmiPNdM@ zHED>c!pCN~iQ*SYa@S6oTgslccM_u9+ggQ5aY3jKI4}PDA7^TzDdtgBLgH;?)x?8Y zqh=NsXHZ;ws*C39$?DtXE)10`-1cl-)-12CNC5~er&>doyfoxu}i9iSx zV(VoIv?JrRY^zLh7#>*1qh>3oRCyOun03g3!xRtXpu7tu| zFR|LOaIUHpv(h4K&9uK~9}uy{Y70Fwri}yKUK&YpU{BUaRXSE%X}X1)BBYlj zUrj5qZkfaw{mh?lfY)hFp+A>9|+kGV{3B**sH|lhBBKz((B2S zOvBmIOxzIMFT7y{9N9v#X@NM%#wVvE3DyWuTwHf+L<>?TV!9WkwooD_ELzDg@b397 zadfVgQRCB#5WCeV{rsiz2A#Xb_Db-r+~pBz4uy`6X4oO}zlL!5MT||Ye=#|Mp-52M zW5~+D9UL$o_9a}B@VwV@px4|h@#z)v%xc;s@+>cREwfGOvEkavRA}@VB_%mZJIc!j zV=5?-KL!QyviX)NEhVGbjY>z=OSy+>E|I$Af1>IxVJER#X`p{n$dDbi{1oN~&u$b* zf>|tbk=H&#H$?D{-p_+IgT8-qz{itzz=!oF@=tc=2Fkn`v?t;u*^WwgNN-_8am<=N#(Ex0kGIxvyiF|6#m`JC?P zcy6KFLP44Ut_cvY8o({RBb{j8*Py8yOzq>R;X)=}zX>Qe9H<){RB8Oeb5=-VG1aW= z(SYNS-iRd)ZNr@ttnqmElcr zv-OTU?#?IkZYsw0sIGE^dF>SoIwj-a{cI5Ng0sH*C za=<=6FAf-A^sl8jvaPeQHgJ`1p}3Ns#YDXFQH-~kOhy|FS{km-TPW!jb#$TlLK01U zwF65f8`?|#Tznul6y*Z4vyiL1Q4ut5;eYn)56#YkFyYz1p|p> ztj)D!T1%s{5GvzNI`HVg2)b9f<5B!3!JM@abF5(r+iEHo&AKp-l(W@{wh^0lHvu4c zv>O?IG0qkje8D6%Uu$%+O(L%QetdS1rj754ce7@d_i|yXK1NxRlBK&J@8|d(d83Ga z%%-sbk@s>~8JFk4xvU}LjbCU<$BVbQ5>T)Pg!q0+K4u?;B+5k5yA`64r&cNBlQ8@* zFb4?(9CN*FiKJ87yXn~leD%H`z-<@I<8yk;=&0!m>X5W(ER1`&on9$C`VzG+=%^^!g7QSYjA~ z90nP+ciy3QTL@Y^Cj@ zVv0$^AXY97zFPsd6Y36PCAkCelzp!qiR>@}^C2(GZHLs+OT$!HW0<%5DUt8l`9PZu zQDPxVJ zY>qB=I&^0^-uhm&9s@FRv$W=WDo2HW7~|KJ!sOmq!H=Z4j_dQI(7PKnN~CbScMeLN z{c*0#pf_M-wT!7UTZSVXm3tbbKmtWhQq7)~kt*j0GU@nqW5-LwPj|KgWhgHY%-B4~ zZ&B@3mH2jOIqPDdiev^R6G<7hzIf(f)&w$M!Obv?Gz07a5IYn3P zC%`p>wt7(4reh&QWeX%Xa(}8qkIa$b*7Orgfiyjt+!H-1Xg2EGK7=_{JNyMq*&3`f z|Bj#Af0e_JfCdIEoIlu8^<_i{=*lPkHn^O~&#v07B7(mt>($2>GVo_?#}C>D7^d9H zA-P9E7qNafF+vVCVE4ULZ6Xw#3qe>-BVdkl?!8+scS=xA@YRp*K(c9LyvvU^A9_6@ zbLP2<$C3pPo?>36U|iSOJYI$+@m<;Med^!&=d&s9iGAYEUcY<)9ZB6WPdvz}H)pRe z_=Q+qamrd|ex|+z!kg&jOzAOKq$Ecuu&G=sa@;KldX|{9@I#U`Qg&H_JQjZ`7W|#+ zb8oT5m70cBeB@AyKcF2HVoj!_R7UbQHIMi@DOc?|3D)6b)RPkldI=O7cflZ=2e?C0 z;wDZ!G&@}HN9MG(c^lM38V}Gl|4h}Qa$^hOFJ=sVjFd`7_js6MTbgey=1fRS)~h&6 zI-&eA_@^!}8sk1XWI9F7{76znq|gPn(KYPOug~GHutGw+eOVX}`N5FZvr7qBu4MQ?7piGC?HLamT6h;!F*lOzW9MMJAy@jJFL z)Fp}32%BaM_Fa$O@XB)2+=|HBDvTH-gK!;NI?9MtTfiMBHX1T|$&<)hf7rXv+XgMuXm3blS1JF#4y)F`?$u zy1NG!I^N3=A^G9t7a+(ZPY755TBK=a-GxDMEW@JO6EtRQzM}8KP_{3EC3CH>rK|Jp9KhT50Om(6c--VDWP!#okp{z}O$;Ez*Rge|{fjH39OO)G` z^_)^)(1uapTj8HH&Va0aMB(5Xgs{Nu? zJe^isiaR=_gG;7x#56lYK83{%`u7-y;gM2U;)6j0Q?G?KyLPF~BkSIH+MU)dt*c!R z5bnhhHzu@4ik9IN=}xmqo#4a18XrNTbV7{pa(WWna+mb_19-4~jTUfziBdj$|rBz16WLmZOx*3fi{fg?v$yQ8hu){N$q!r)EP85obA)rX5sZ;C zYqHBDn+9P55PK#)R7g)#AY+#)plHIA^UIT}Fpt*SL1*Uug>(r$(3xMNnG~3Bv>w+a zsboE37AI^VDOmu>zgy!Fr^UIvMS~2x&@f%{M&0IG&0R- zZAGf;^~DWHNTY>{mDdONg(%ISG7Zb?XW_GZ_o@1QsXy$3{(BmpF}tWkb`i2HSXKj1sdZ z<^D*N!A?ri5v3fV9B^<7j(n4l?m@fEpzV1TX18^AiMl#miDF8^^%gE6o(RA#;VA!Rcz5@*yV_MMbET-5e5LoO&dL z3<`r*I3PersEGRr)Yp{_-TNw0a}uq=cdvev`Yf9n^xeI-Xa6`JW4j!vkfN2FemBR( z59kCITICu?!3UA7aQb!hWCfWq#d5MX?w9PY1NJo<1aJEJPMR#ouEwHqqn=*vaIYRp zRZF#)8VFkp`C;c^aZ0rtYpmh8#tmRwVLF{^M1)*01A@H0;7mKu7hrOPvr8-(fW|)$2y| zCJ~MH*GfCb@kt@gz3RBK({AbU(gEpuP#a&2NYQ*pATcd)i1M8<-ixV!RX+Af&3 z5Lzh*4PrfNxa9^DoEFK$k^iD1s%f<=@$uXX;k`{~M94v(peqtp37k6^G&OC^rNd*E z-p>IRkva~^$R*I!xSD3yLe`5@yy@r2=_5e54n1t&XA;V!EBtZXSCuvAk1dGd+@-WF z{c6%HDI_#^D15NnG-}Na%Oyh+Y;oj*X%wAE#e?cd%pJsBb8!KkPOGJNHb zqP3{w@kin1I$|A%^yvtIhhl~sT#*&7-HjGIsce50xD*|d*0^o2uEceKE|hx$rA!J6 zi1ZAhv3xScHFNS2h5}*&zB^JC;I!o(s7&BuLmFkj!{uW;bdum!Pg6DqoNm8K0Gk1*Zz?d|lOzftFl6YxU zEYK!WWQXS0CLG!TCjHDWUlGOSY7T0EY1fCkAr zLwlJ44^_np%?e_SW&lWlx8N7+DTeU&yRFJATu9V*iZg-Jfhng6Xyq6egfqb}z-1ht z0A0n}a>;$|ijoc1%2@U;QzNB-m#Cl-#i6V4BVcHbD{K_5w#X1&jym{!avNjJ`|xSy zY#gRnW@b+vYginT@k4Ytf~kaiViH! z$bG6rRUOY~(qq?3uB@~x<48tYNnUpb580;@2Lf8G!Z0aOW7mgM>GBS`sp7TbZP08= zxs(7q>XQT>3N4%>7FsD*(xkE<$0-k2s1zL>9@W6Ub;rbf%STZ+nXUp>k zM%O`xrZh48h*+P!*IqE$_-6Q3`$*-o`tko_HU{nR;bl8=t z9GS+!(5m1z@?eUCKDcQsbd6?Mob+`C3Er=}k5b%2(I}BBch#!W?>TIjJ|dKCNv2kk z=gRp7&=Cl80~RiGui+L-7trAu9|#e^2U0l|Z>CTXNkq3;>?%ZdnbiBDy5*mavOU3%Xr@Z?B+}wCSFc1UG259y|^f)-b7ard_+-)61wQ-YZPRM>}p62 zrw=W6SC|^bMa*6@=wc=-D{f>#Y5yiCHQjU&lQkj@=8h_^G4y4B*ZI-)wrG+RN8~L0TCKo zT)GKMpxZ1n&^roa6XuvC4>Vw-3LnKu%&MUhs^lnpvD7FosN>d#rV}07#5+nrep3WL z7^!cM&kXcfd{a0quHc$7xkN~o>wqfh&y>XjghkX#Fp~xqh1@_~-{6(x6?KoTOh$Fd zIcg|F6X)D>D&UJB?pDgg4*kSX>Jxf~iT##_V__GB(}NTpJryIc#0YpO$BAm;aw{qX zvQB8u@HfW0rX~wZ7Y5W^fIs`vv6C@~Q5_sR+ovm_DK0^M<8~UrP`o5yI}x9y2$+x#{MRWHeHvd4#Nk!WXOSj{d*@CRf)@KhW+3^HW z@_f$ha)&N)utf8DZ^b&I1LS@K;It5cNxMd*3*OoeU(;*Mm)&%T-lQAstX)Y+bo@O` zPS)=J7-Iw9=a(@xm3R~7u`JL-Wil*mf_}tNngY(6h&M$*P5!+PMe-XN4G#nEZ-5d5;DHQ8=1scZ)DM+vb&Q z`QAYP2cln&0$9$adpe05IDlg()5gg~h@1qNH%g*xc4$%~iguh|KWo)(*S>rd>BQ-t zhjTin$nUZ*wX0UGTD1+=v*>JE$5*<_;vUw!IAurtUHaY0u@of^Q$>lcEwL{+KFn)c z%)t^!bi>0jz1-Iw|bVZCd=#n3kJ5*Y)4MHQJju1eJve>~LneK-qB0dg^Xa2J!tNwlU6y0JZB zG*jKbtLSfYU3!q8zqsl=vz6;^r zv8!cg8*`^o7%9DxkV}HHeG=1}08qG7UWY8}Uc{zYAS(vn6PHAgz^DWD4Qh)kpG}X8 z$)Mxtk?z+K#7dY8eQ-=00*_dp0#N=%lfp`?)L@#TEXDQ@3O6in$(@cL zXgeQIW1+`1+Omu=nOaO@6yZtmCVlM1C>p++)~_kI?k z{%#tAaOuJqk&W};!3}^zf2kte$n3KChaQh*IPY+dUrF$c%qQquUsh%Mjr5w>AaBtm z@sVPjEr;i|u0Kr(^nExy=~zjN_2l{{KfGIuGCQEER~SJ#vW z^5R#@f28=CGX`fZE^m-fA53>6en`rCP z1zv;eD~8NKv#H{Bdl^uB=yAHb-0);yygTAbXaT9N4QU~!fP08ab-ROsqe6u>hX4LHVkcPfHav^|FjJMth1Z zka?iSM#b(&viq3#D&?k>DFq!@*{wQLYGAZ7%l2mP-@%-l1~?ZQpXUt@wL~0Om z_Luc#X+QP}*87mR{%UbWgl~|nM?ZPd#`52^2zBZd75#eC8>MAclLYFXvPU17at!1M zvpWayN6e_xH^6E}m`53nW1t1b@ER*r^@CjXPRtbGz?2BOY&!p#lF*|Jk*2ykW=Gfj zRSrLu-Yd~dOAMZPF7ms9u>)|EyaF?#*0X{#c%HSAp`wblb5O!!w#UeXOoi4vsVK_G zhA1k9d0771WWgmxVY&ZdHRbO)30mw3jwCq-_YZs@Ax8BHD`ugwq?9mLi(*fLU~j2U zLDHckx4Z%7LV!yLy_6T~(urec=ac0`9$(6Nul4&_-MSlF&qI-W`f&s?$!MI!9aG009Y9Roq~kGM)^tS&b5_OSrwR zz%qOR*OsWIJ*@gL*$;Tf{nkC%V_WvVIuBd^>cjn}UAG7F@vRuS75d`03y?uHcXtDI zvF%Ga9(ukEZL`FYa0D>g1D*i-Jt+ERBBEmdI5E(JK7B)&t%~);<0WlTNG1$$JS5yJ zi+f0X!+w6bHM&6NJ2a}t0xOm6?$Jo%)`V(|dK;Dj+K$dm6&PJ{{z_#>Qt~eH)#dE# zytpZ6_)#&@HJB>W7?|yLgI*U=-}D22m|%Zw-hw5 zR@Zk%h0dFS8ydzr+9rJ!o8iNA-w50lP+Zjvz)bR{CXRDHzed9oy1HF%`zbsGcD;hD zqkwr{+c@erE1Y(vW8u~@qaXb5VaVO*!{G^XT zOzdGkYqaJwc6pqs_|USK@KFjaqII@=Q?+;Tm)4<)J~A>iMKnPUBWmpv8`*B{7@`C- zV85@JrTb;hg(h?c2JVD(FIfaCHgdB*1wD?=v$uve9#9Yqz~R(h@>LH9maM9)&TbN? zGOG8dbMHHaRInaVopQz6M6vadNIBtFCX*hqLRG9)bh(fULc+qS0P_c^p@j+Ghgbp8 z#h|In)cZd72|`}ZZtmyK922PZOOu*L%zoV zeCtr8yDalhx|1Cz8Dh{}X3|5fT9(jThC;Z3r3Q6ifcb)g*Og*2nThTRzHvzg>;*4Jzl#~=&i!QVK3h#tDT8!uSV;g94K6mXe(+2V9V3GU*K^y{su zpi1A5^sa9(Qc&Av8#r~Mc3TuH^lnrwtzAll1Rr|65d_xYTFkMx7bIBkQ@8j*$E?SmN+8u`>sJ=iIe$Kvu)+|u*BLI!G03Za|1XMM>LKP z1M8)Jq0}u1t-*m6ltKUbPp6ubK@C|}MdAtqy8UVrE>R^*acYZVQo4jPhXruJrRFez zOCY_>n4{Ib2{AHgBzS6c8X!EtcyGvBxVVEp-k?f5KqFVG6sst3$qSLJoLCTrk2gy9 z{qd7N`o-8iYJ@&n&zHqUAF{i|Xmie{Ir$0B^yO-o=*<40{ z)KgC=kgCoQbrSAck_Wqf0sbUOQUXCZ4@)^@v=$24X?=y3A{L&%jRg{4TD?C2i5&Xl z!#EMMbfA6ruOP^@;+yV^&BG`rr$11a~s+Pen&40Tv>f+>yK| z;K?0`H0p?{=BssYZheP~MHjhw7!+ANf88T zokIv1)*@tQ0Jl`n)s4g<{zg$2_mKNg+8#WQ9i>*(w%jb09LP87xb1Kb%~3Uzp%$?% z9B2itMT1$?)ND8+u*1F!0I=r{jo5>QHiQ&<=PG-YURXq&i%WF0rsJU!$F0lRpr#@_ z(~kv(Xx#9+2NgZwTM!z+Y&6-D+X1=9K_@hq)g~MU}dm3GsdF>QcKX_%jkGMAJxy_|9VQ`E6w+NUPfumgcdZK zC3PDPU2Fq4LF=H>sy=lh+AG+WIhYD)W0sEqEB?q*{FP$aC04C+2&FId<>tlOb-zJH zc|SY7d#|a!5xvD~7WE(Zh!cB$WdDw2a$>fG!7Q@8_wD}!DM2~ysqU@TS=#2;lxysL z!Dl3co6RMH9F`~G*$nTd6b4vB^mV%#e6AfX2}KGVpkE#2m?N+rz6qQstyw}*CTfE7 zqi=4da!?gFnb%TlN4^XNz(vPcEWh#0t9leZlLlpE)=*UptyJ9Fr;XdMOtp@2q=XM= zP1RRSvay;?ybCD}8DlejFAN-ca4*iDpcf|VomX4v;ld*USq$MW%4XFS6dZ^rL-?OY z(`%+mmBs2ZUC_`lP#2qDMzYCehFbqzQ;#mmf+J}IUT%VTZB@Xd;?UDS^0VS-w*{S{Mzpxmvqk7&^M{I-P^;M8J&g!*w6G z3-w**g$rCCr9|(gxd!u-<&i6ih=!x5g zXHO|~!EV=RslT4Wp%|I}XCw-Hpel==Q@Tp!rCnD68TrH4$V0|9g#!NK# zD*+R15(#dY1pQRYrcm<=@==}!mBVQ83{rnS)lZT37sd0KERf`E<%Bgv2HGVoU2-6u zDk!2TceB@=qs|f4VpivcVGwv!8q=Ecxo7wA)c^mT+3wLv4YZ?y`_6rgZux2p6Zk&s-Kz^MSC$<>5XKwWh?@(= zo;SD#F+XT1ph5!9^jc5^!LxhF5EehTbxhOR$UDW`DLn|UM*=pAnMp9>>D|bZYcI zB3y zDRmpsNpdk1v~WEPr+}z+g)%4;i80I|JTpWPm&$*Z(ohx~<%lvTzf42cP%l21^)HQ( z=)UJG0WwY|g`7&MJ3)M?#j?A6@dfJ8-}?E8VHK&!&i~QgR<~KoMN?v1*uaV;$Tz~7CaAySQ&-m z2_MJ$s2;T>+!j7b9^LjD_kKFa7-F}-3!w1vLxd55x3B(>(R=*3F&St!5Qm!O!AW+G?~xQUY(a}0RVE5os7g|@u|`fLsDLzGr_ z2Bk^}QZG0?3Lov~1r&s25om3i`0-)LxsYGM0hno8o-!slcCtV-Ga;FR1E+r8avxKa^@oHie6r)J{jBdCJguX}>Sg}VtN z-!Sm$BW~piq`rxDMQlF#a%-+Sz=h+B`Cwuaxm%b@s=TgHuJo&TG;X$$tH7yyz1j$+ zREPLR7Lzak2X(nvvYC?Fu8(MEDlsCIV-&5Bcvy#$Noi{(mM3Smh26p8GMu?5&z?R3 zOeJ}3sVvql2Mk~ULsyJ!Q*H8uw0M#n23}==@woGn$5Dgcag9&Kj>f`BS^2^9^QM9* zmU5P4HpYassA{QR!DMJ9jVhi!twsOPgK$X_@GY@#NZIPt64>qv_@obcJg6Ih z1UA_mT_M$1Lfi*c`1K``O<96hA`5oHg{aG|U0`Co1Aert``Mu$tfEZ756fRA$^k^yXKu$>ILa6m}bZS2tV|?&ZA$y<%is;m9oSRPGg1%t{fVl~VN8Nb5C%n9_O!Hc_tM zF|3g%;+hLg%qvoyO?qEmWqd1Hs`3&kL@uOSg#!)O!aDTaPZDBBc@pP1Z<}6CsyoFc6 z*qc%+35MCmH}PjnBU^WIyJz}|+t|T8pM!x@p#c368 z-o8RS)$x-xCYqlU1;3d+y0(BOFDdv@sh zZ+so73*;Rnj3?JzNXL{H3rE^uQ#T2Xt7b_N`ZTr|2K6PlN7>+GpZkv=Wo=}HL|l5d zLo)oC$n-lbvTkpmAx8~!>uId$7~Utc#27XS9cS_=mm#vd<&3e|sreZ;Yv_MS*`e3< zd7;EQGF3rCkU#OunnK@GkIXU-MMJP5x^0%U{W?B?eZ}Qp6YJPJEool=apbxZtpI`ZZ-@H^_m;JEf zn$1rB`Sj_7+4(vC-w)?s0IPc?`NhDD;n1T7j=Dn71AqGA(;xB0J7kC4uJ#8iYNv0+ zrOl46uce&R+_Mb$sO{O{8j|K0jN`S@Mj9I}%jAf$s>^fLB4r;cTFa?QFP1biyCqbP zRY=p!h<;gitRRH)<0uwioc%KhpEA*;oBpc>h^Gc!`#f&9AuH&f*uwf~i`z zb(xH4>iM!N7+`4HG(78%kD~#w$L~lGY*gWlsau2+qzRum-LH^3Eo4b2a|V^u;64*g z1w)pttsx%jt=zFv1$8tJ5dw>zdq@c=8^=od@E8w-3o^MES(h=A542EYMz%|)$5+L1 zODwq*Rmz{_Ey2a2vEXH|Zs*8s6+xjA_K#jHSCed^FosoPBoQ4d5H?5$xglFQwB*Ir zKrAKIc%BP55%RKG(* z(f@=++V02+IoGpye9c6vJ7f`8B~zLVZoZMm57FM>hUNUgN8PGBt{Ezgfq8b1R9c4!lR^p?* z<-on$V>l&gyJ6=N;*6tvD?q2!BFrYj{Jz?O$rD|;YF?#j9MMPTV3Lo5lqDLww@{!A zHE4-OD;qj8<-K$BZ#E8`7;Fv%&Z87oO0Q%Z{-Vr?2eTrxw3L%*hIT{a^Koh7X29Y- zx6V&_lg`9HHG5F`1dnFlaJalatuPjE78_JK=MKP_M=;#~Vljw(&^`8dOyQuLYKRw%{7l**)y0`|)&_t` zh`kCR=SzoMpROKLxzeN(?oPe9Mq{DA@m^;kk0+s+-7nCpru=&yy{C~pp;aS9LIpX> z+Pnoc!Tp(w+b9=>=8#Ktf70r}KMC)N8%B+y)a!cF|P z936Wc##H2zeI#)ZLEI4)#B207!iXj1z2Ow(mh~Q9l%T=`4Sf%s*mXSO2mu4Q9E0sCAkuT(XR zMg*m!()B*arjV%jcy@A(iCC^PGc?DAe|5r_&tN_!)s92!hxHQqhZ*FvZ)cCy6WGGu zkXxhAr9~y`KIPqFty7b)D^?lUIXbV%HS>Gvi@U4g)$!%cusFob41{O0PPehMv7t?g z;*si1@z#9r%3-v-4ZJ97KnlGBx8=DJz;N=SBg>|YXrW>l*;%r=9^7}P6{AQ3#rIHX zh6ndJ`eb2PpJ>k^Jf##!MCE{%M;Olz4uJuQ(Nk16Jlm&2{L|Z+!M%Yil{%#A5rBSW zWL9g~mbz;B*yr{=SKvdyDUoaRgo&q%>p1`(*%{9%6I<5D<7<*u%(Kxvj%*BpNrRKh z3UIbt^Y)}vl!_~|S6zuJF!1cFDL5o)+0;*hM}}-Ce(g%Rq;6hp!Sa)9QY(9Ti3dEr z+nm0DNDrb^_<+jS>Z3eGTW5k)DiHvVD|6QPzm)rlG-ab{@V<6;w|qp{$0H!|K$$pH zO5joPkklyLr%5;+5dD^5sO;-hFI5t1aLw-la8T?NNlq;)*Nrf7Tn6kHBhvYacw_ zpns@n(1H8jJTcFr!`jKfPohjNj6?INde@)*u9Pz4V_dO@-|yOc!;2R*5OD;lv4Y<& z9MbH9V}TU$SR1VBsp-NFU`o-V&P_bH5`d)0w_PyV^>KR}>Y2K1=}kO4<@+n6?BMRm zn2V1a;dOgT&~&H?9`DBZ;XNlc0+YMQc1ld%Hv5a9yhJLD<8!3y?nDHInjS*AhgtCM z89gd5vzgT~-{RP@HYiy(wo}lQ^mS-`R_$doN&sV7fju6&^5Fqa!8|S|oNy@$5f4BzrPjtx++Nf@;$*K5^Kj9*LFL$Ug*Kid{Q8R> zP7^lu*6Li7&9L~Mj6RX_;2FNdJ722mQ-5ew%`Rr&Xwmqi*$;OJUVeqT9y(j0X9`fu zkmD#Ij1-(8OW%%k0r2zaNat*(AC%~Us--~WEcXz)-|RSn*z9=j9#cr>n}xz1`9uy~ zVK4<-s(oRh=bE?2`5J+JgI|a%)l`27VyqHutW3emmUCN}>G_F@rh;>!83w~$k{1x7 zyZnX{9c)G`{6SkYT&$w+RxYUMp2D8`13n1qS+Q1N0n9tP&kMnac{ z9ypA_b*~#6JsG*)#GB*Xdf;}2TCV;Gw_7qO`}}RzvX1v?3N54-lSA(QeSuK=S-K*) zj%k>q?mI;kF;)gX3*kh|t0wNRXboU9;3IQh)&9pX{(*96%Kb#Ym>Es&a4yFcKue&y zle3B{43AX@c7;cG>M|<#yI}519168f+Q`BURb_X|9%5kvQwMlBH7FVgsl`h4P#TnO zMClsO&b7!uGTigcZzw5eS8_Ww-_YN(31-t}28ye4OrWo})|{(op~gebd^0el){mR4+jl5`J}A zItnw^Jk`fRbnk&Y_Kd4yn=WY%Y;4|17O5FvFqn-h-%>b%Ae>Crr!N zT#I;STq~6c;7R+nV#)_;A(-Ame{89tPQ9y=urYfzfrD37_l}Hh_eS@TNT0zjYQS^| ziZ<2A+|W7UcV`tM^U`!Rp>m9&yj8yyU?yuS48F;FG$wIOq(-we=0PFnLRy9OyEko` z>g&qvP;K2pm%gV$x2c{rh8yq6Z9oSZ7N&k3cNiu7)-UL=`X5+9WSye8er~Tyo0`7a zLg!;(>(~)9NX#DOtCcWD*V2FDT#bV@55KS*A$7hT_gC6-AvZS$7#1;MeEIDioLEo^jQa@t39^1WER zMF#~HU>Ya%tGF(-c*Gi(S0MrH1=s^jZZs9=9;I{-`=z$ylR}F9JJRCO+2sPAVT2PQ zgmVvb?>6WRZRP|d)KjSiDUW^f-Se|;kE8;!QUJYa4yeXTXUHCiOKWwi657@QnwAH5ODm$+iGrSCqJHj zyZwMdCUC5Hm%bHfUfiRz)6SHxG$rkc>?wHe%0~0R7gS>? z$RY?yI!@x2&4n2WC)F_7>yW(Hb$KF?f-V|H@%9d3rlJ;xW!CyfxX@Cx?18hqq5Na) zxbVg5trQ3maXvP#^~X6#aZVYI)|vPCac+jApjcJV0Tu@7Ke*RuRQ4VkQ}b}LV1|W9 zv7Ve%tif0kGQVLlQxzXd8~YF1+{OffV7x;<+qa9)yg{AngNTe+0nj^EgnwI?>J(Ks zUT`?ZM-Av#sOdyU}P9qO#S!QB=L4F&aAJ-Sxi0Zr8l?!~th@9kn}k_Uv2uP$9EQ*t>SH!1O7R?a29N zV$O;ZM;s44l}yOd0WKkOqj

iKbObNDdq?8U2=$F|}Pf(1|Z?rOe4l5uPsM2-2w9N+vYqP8QoZ@rq}Vo}xwmQgEk!K=)ydj{O-;u0;TGGDJz#Zy0iM zF-7gqbZ_>rodc>Px_1I8gQ6GioO#+!am>57sAJP?NIRdSI$cALvz}yqrngFy<6L$5 zR)2(6O_ywMIM(tt|2vb;0W57tz*u zjVX5ANPBr9Ohtg%hn;l;4~sP=(iTbFgBWgfliLW zV1Dv3Dsg0$FMwn{YF1H4xV!UAxd}J9z3<37?p=&pDAz7e#@v}#Sz?t-(mt6i`Y3%T zK+6#rtuZ8GMa^l@{ja#&_mzTnUWC_B`%#)oqyPV0!QK943cWh+>%k4B8uecszGTCi zaUDeoO)H=IG;5&WKNa-ppNMu*mzZn8h)XuclvTApA&kuG;--% zv?fG?u-(yAK$T9~xOMWmRHD3nD11r|LLq99hP0-dlA2i>h@^zf$NZ3}?lCuq71ul~ z>zbJRa6iT8>H&dp3k8+hiVEV z96_N7qf`~_P_+oH@>KVSGv&5pRGwtZB=)?@Tx9`p?Y^sK)@B&5axESH;N|z=cef-N zZ4Lq44NgSq*DGh%UjlDWFAU~Ml)OB?y!*=|qzGA50T1M_v$rUT8nD02?c+SvS$G^5 z69`9y9ZQcc45hZdWY*(WDkK{#rk!9bbDe2X%P0F#G#B0d1A5OlWGVJ#p|Qyg-}` z)mStygJMDY#P1Rh);@j(nuKG_sK^fn(=g$^Q4NKrG+sb}|60BMm7ibEan56XTYqo) zs5GSYR6#o-o;d{Zgx>J-QkaoRW3Kl|+?@FEz_is~i4;D0{sEo_Oc4?zcU|qH1?H5J(8z@E&Eenxnz%k#Nji>- zX+#*D6DjX1>=x|K#D{AAZ~(2;Z8Bxc<2PYqpc;dLWFyXs5i? zd5pjD6#gx7S@L&4LTK;w6LfQt8QFSJ9$Ah=~v|j?BJp8mD zhcDNcw{KP6D9vq`Whmb|lTu7~_qY)De3>b@l8iWD)jcC~$yFt3@t?9w^X5i!8RrHP zx7V>1%delKa}v;y*>_6EggZ8U`@zrr4tpQ^QUV_M6H=c=mydS_ff3Dfw~O}Sp1Q;@ zLlwB9Z@VuL(F31Bn;gdze4h$e+Mie%9B<3QELv#Tw}XCKh=Tly|C(2dA%hwIa{YRV zCMi-x){VA9_4fN2cYOP$ZpCB@)gcAWGe#UjA`=5qnM3X8keo{vu`ShI&8cXhe^bYQ7IA5G=w zqpAFSG?kx^?C|Hk9gf{$+ddX$I}%S;n;i`a4rRcr?O%;iPCJ9ReCk_YO8XKF_T}t3 zD>kj2j;(OxlrnGHy9GC%%!WHa&UV5i~Jfy;wW2WAtW4(#T~9}VyJ(eQ2`4e$2R@NOSX z+-=}v;TZ-V6+Rs}Rrs{?tInashE?zlLVqxG750ro8izWYKZx@Fy(f8feD0Z3dT7IO z`=lSYgGft6_mshY_wvpBEi0-J;*n2f!3_V{^n!KaO@UYoWE=Rh|5C~N(WTOVmN?sN ziOu`9-5)jjN>8C(OKTxryGKIzG1F5M8pkKY#{!9|a^yfd7!Mtt6X@{gK*h zFmIx6Ac9!I>tEb%c2pA0EI#QmV@%E-dTNIyNO8tEbP;Dfu@J1}S(DCTWDGk*+p-KG zCW}Qo^NtHxi70()-d-PrFhc~63j8OETH+B%sh5yIjYjzFOfp5xIY>;V4VG-ZTy3OB zy3vA5dJOLh=vXArMlG-7Nj$Z$xgs8OrLI?huGurc9t?P}KFQy(_8207q@^aTEb+{3 zY0UcsT}{~BgpnS7&Dj&Ki(5cK7wi~;84#QRxG|20#kR{4e0Td|?rx6(UNzyRpe8>2 z%_<%9{i>`fcH|A{pvUe;8u!JuXk#PJkkfGmI7N*B$97bRt0gVf!&WU( zF;D=kq^!5m1?0Q7_N*J2FR=1{28LXcCT>HtUIMTqi(jRC853^nzAamK&F9ISIkxxj zHfxezZvwWtOW-|=YGJJ&`xvdIx~1%&SWrVhV~nZjHdBf;O+#O zTDKXW|5|-56r028jLi}mj=$uu{3SneJSvsHdW(p>FdGWQK_8u)wm1wl~_LmfsZ>|!*X$7f~{wB zw5NzvqRG%Vs1|^b_u5x39_o?vpOVomU}n+j@3Ri}B(>Yztf}F0ed3ipqOr7TLn!Te zqpCfd)O~29M9P=En@UyBMNV?bxYgzRkGku3bU{9*s>TLKNEkFZ4`1~ZDb2x`YgyAp z{lH4R64}w7eef7{yU-G~VY);Y*BNxxacuOtp?5FRh4&V=YW6%SNa%zpt6TAh3I1q_ zl5;5n0R@z7&Q2gvaw;&n*UJ8yOFV}W^cYgj)8O8Ijo}cxZHjJr2%&*WiyI@3ksrg6YVx$5;syT*Zqisj6mYUIw&%$fCzviGq$Bkje2GvBRu z5N;O(IAvO8g_~+o_l)P{AgQ9!jJzvpgN#;?VnPGr(Gh4Xdr)@3&SL3!2302tee^)+ zv7NyqNYYT{cqPyi6RK)M?{2GwK}%e2vs*z%m8^<#5HP>kZdSWHq99>{^h+^th&YisS#O8|!UYtqYHT^Q z`@wYt1bTLcED2qq;Uo)jnqkK9bo7bHrz9--g3NA)JGKkEEB~~(@V|jH)5SIJY@3vY zfp7i<7MH{k&11qN9W`jAmm@!;$vFd6aKC|qegv-fyaC)X&{OQJiB2$sSm^ESYy;;+ zF>-0+YA^BV&wo0dJuf=D1w7s(uWw&6?i8cpLJ!@RuyQGGt@`$IjHqYD!9Z;vH66X< z%)q;oXo_0y5 zg^1v-6{N)yXB;>K?5g;I)W$)Yk95%D$V|2g8gC(ypX$w6z&*t*dZz|>KDry}LH`^K$SQZ;2*c*y?gcDxHkMlnzz2h~K__*{VCaO#5k zUZ{b7YZuyd80%BfBmGnFP(AaKqgW98;o}TxrT>eYb3H9_`y|KzK|9t+q>6dk5W;T@PM(7gBejk z3@9gM?)SrT-OkxR`%S{r+Bb8W&&XZ`suWo3Oqliqrr6Cm;#R-m41X^f*ZGBftC<0Ru$d zGPi<68ZF8d{FPFMbIyLdk)$U~>0^9g$P6c>2Hj>OfIZbN-F z-R;FjOHBtLBd@hovxwFY3~bofijoDWVB%W$ED%>?jHKjXc6XvePKs*|FbHU=ZcA^1 zibxpUc0yTFEdab0ck0noyAHDPkPdfCTGweQDcYfe&NJ~*T_fCz%}|w zNfmhq2g$pSqO^`l)V-$FV$A-Fkl=seoSom27gm}2{A7C|M=^fEM6vPcQx>wW^gbL= z+St)-N2ehP+a?=pG^0j%&eo}>z%=Q*_yxx=I|YM}eFEH$Np5*l+2PWRnGF~9vk)!m zPtvy0YIcc-OI93TVna9pq)qTkoH@Y!ua}F}RrJX=D1eQhk%;z`$d`~pTYb=SX-)gR z83JCVcPaPz#g!sH+NPE)^b<`Br$ix~lZAG#Q8_UoNkEVdL`T5h9^v5Y| zQ@*?>tAx>}-a=CowS4+5aRh^2HwB1v1GF#8oCn69rTaal3&mG%m$dB7KW;tC zc-b;OZVC72XeDITMVNk*pb!e=?Wv&Zq{A@`xEz~mx5Q$>-U>cs4#6?OPrrC|?IpFRqv9vH559)W>luNaxD6nX9I4w>k*6O zgb7U++!BL+jfz^mEI&1GUe>V6ns6+@lFzFdvg zIf(DHmbi?>%a|(W8Kt7zd`V(+N>ONP7sod~dL4C=MOtzTl++`EZZ&w-ikv!^penwW@gK*$;c3;(g+8^a?FZ@z|S1<#4q z5Xwy!kfX6uqrsJ5cMXcHhe~=`TwD_&F!9dcq}SiSL-@dZR;LT}2xjl83OH*_A6X)&F)XCYPM6O+zbfr_aFE`xX{`KbP6m@#C zt2=KjAxBCplKhNyaj4m|cx$W09j0IMQ#cmD16dlgFw(I7gPBAIT}jibiSx}^TXI%+ za-zuzl`{}r*qD~-80i@6^>4D{eFJf=gOf#SxGyYRNc&L4MXQ&RMvBQUocsieo&gn_ zFf}H=u#^QytIiW1BPZW)&;xEZw2b#vF_@50lw>KJzh|sFq!hE-xsZxYSRE=HW%IqH zXfv9ZvjrIHfT~;}3eC*J<3{&Za8U@gKxvTdt-F^_HMvGcfz(ZSjY@(-n{vnxv)_%K z?zs_BNNkgoC%9y())>_XkXb4;%hymeZfk>BB^^z^N*_*XS11@YBrW{Jq7f3ui3xbU zszS9#(>BVihme&VXDhRE~-GoS9HO$ zQS1)B=6Y4RmUcUu`ekViS*MQVP-d~L_zX;%mEF;@t)?K$PzNeM@QoG82Ef%Q0|fS3 zw_7cnmx&n~?U6ic5|6JCajKu(*K`}9r>^rX-R zQ8lIFaw1U(wytQos=}TRrRYud5J`;79K0lSv1Q|0SF%Z!5$*eQvwqC6R0g~|onQ@Y z!I*660VmW1#HSY$ZnV!d9JT`8JeWzSq9lOvoGO0g5Cha7jN5@;F z&GjA4m~!{LwJctwH{lk+*2i6{ed9Et^^=I51Fc>m86G%JaM&ucn_ZEmT;hB>QFwY& ziLf`R)#kXVK%`^iW5+7NLxlDhtp7kWs%TL`&6O7CASayCj=g zc1kM4>sA`=TMW>^d&QsQh3tC(YO7kr!+bq63W&-M^}lt0s@k9PXmE)0<%(an&yX7Z zZ(!a?kD6?H(vLznYEEmJRK01GZZv)Tis!vYln2};@)jk=38s%y^+0~EyegZasnkS- zB$la(j6g&Y8g)tIOpG(~=MiY&yCWm1QMRnZCeRx!rWF3+0OpS8f;LI3@lk#sj6g=n zFv+Xto^1uyF@ZH<$$i8?u&q;hcLbvAD~bJMX9yt+#_fYHLE?SIf-+LqHxZV=t>S44 z#n_Tr8bOWVfMDu8{ld!_(K<5PK6_sglL?cG{HPXN&EH6&gXR>Qu_!_8TokUz{w0}_ z;vIE&F`XfUR%{?6>kuK4*Pcnmm&GHPeaL0>(Wn#`I%*=_bzt1sS}p5mwb%e$9Fk(2 z6{Cl3r=fBIAV)Z6L{Ty}B-CgDlq)tsw@}uKmB>+6+6HP8J9dmtTP}K3XgHS6m~{3o zO7gA(bN~+gj3w5*L}a- zT)x>}p#3*&?FvO(o}k=BN1Nrmyp|%8V;KuWDIG{{^k{peFbIcDfA420cJbWp<#M%H zu<5v;FBXU29F_!iF=Fl1cSF#mcw=6!K*(c3kJzXqGzM8Y*gkJh8Frz#JU|E?N0c%0 z!iQCU%5a~t8baw=PmoNkCWExTDcWApYyqoQJVj<%taME z)W|a8>({SU9%jj-TVhhLS2$%DDZ}J7@zbp>W9uP<;v^R}fpHO3qe}uuzEM$FrHuJ2 zjgoPO=O5^)FNZw$>Zn&keXI+yQ){Dk7)X{ZCJvj9G^(jT`0@1x3uth*7uKN1GSYLu zr+ts+H}@Va$~PvqyMM!QQ3QzKRJbp%dJY+3Ujt}$V^47ei9pB(Oy9fZge5{EZJh%>|?Qp z1KEXH@(33~2XGul?GsMSBiKJcMJ~R9{sW93t%rOiKLeFCJufad&IJM+-VngvX^RyB zy>xK!bL!k{QODuJI!r(}5VKUyXfI4X6F+geb_UssZ&2&&ZSp>4hdQAu$gKRir_QmO zu+)Sn&y9_JE?!p#TO7B}Df89|p%8bxMy$J%D7=jL2P_bD-g<{HX;OsUz(?{-L>$() zonqA_7~j_oOpUm_FgQl|S?}Byl^0Jfo{8B=s_pFU9)4(Yf%G%3d$`$mcsDF=Y2s)Ci425O*cVZ}JYhu$ zNH{p}cZu+x)}srV{*Ak0Hn;i2sK|8XU*)M59eooNRGfr};kftEzZ_Du@&Smz+OG;E zKQM6_ME|d?1379^IR(4SaHVp|73~4y*aylfF>X81QLbcX`Pnwoxl`(021bl4(+aG zNd{Bk8LjfLTld>$(KU&tp8*#g*D_dCWMtRIoBE9>gk*ATMM5@~`6V_HK4#y%&1 zPo;pV@3+U~%F0yCqQ5XYuqZV_w4Pts0yxqyil|^9)%w9k8ElU`8Q?5S*o`|Q*?_YJ zC7AWfB)lIzPN}Q!vY>p!j^*pD&vaYb)@bg&A%RB0Xn6y70CF%U<2g9ic3TqgVR-cZ z9SMAgKXTx;>kopCC)cPRx6atgoWzlG2tj0>rsv?GMlOB#$qKc7JEj{3$4NPj5@P6y zcK-Gpu{XTki{w&T&I@|Z);zGQbJ!2l*K-=&ueh%`!TH25((q1JyS=r~5E5VlDvh^X4hE`T{oZ&2OK zMz*pmbX6%3c@2lV8U5rmOtQ!54#PEc>41VwMRY!axDGS#AOL3mg*hoBo9`jNxW&H;C7ZxnZiBl^8}tGjCeO zsd-c|aNwL_d(|+k^arjf_z%U)`PwQnt?Y9zVTJ>TMxqF%;HSQh{58|9Ri@Qk8oqv+ zURFfe0E{gU!smqxafP=S`s!qPskmMzhNp92GeTG!*5m*?esaFO)B*Wr^_Kii`c$te zQrZF2v!bN-9T;|OA;ZQ1|K9EhWDBUgFHv<=$^}U0k|n*_LAA2dxo-SS&IB=UQ>bUi z%fsnWOG(eVtDU6&nSL2!Ne+{0a^9xTzmUIjTa8Ip#)j95Tg5@6wI*F**8N&v)q>4q z3`$NMpmlwvNR{GKpJZ-PrR(sP^78C+WwIW#)7KW~WA%d- zE3n!f;U+{1C*EgGps^>Ux`yCXHy&MC6oa`ErFTlomivpDItpeia0yN9REC~hC1Ft5 z$_7=)@hnP{R$Cj>iMda=zY=WY ziy$OT-IGfvd)P>(JYe)j@QBSMN@C=AiI=Gx2f1Clgko;I8oVAlEbwS(S-TNial^Ey z;qchn9kQu(QjJqajaKb`JRb)+nWwj&avsPXM7hHMW>BsHW| zq5&z=%3$PJ-chXlo|EE*Py_SV`U2!%^~;KbxnquJ4%!^9H>ixIJZL}(vGHTc*GdgY zKjQ}GmQnEVM8fDXOX%R`Q?Rb_IV_=+7Dg<-G-k8tjofq28P>@OjV~q#tOId(Fe+NA zJcKV~u_R+d@?K5Go8XrVJbUSM#f9Q6Pur~CFj}CHMr}5m4;p7PI0h-f;34SRM47jF zhJA%6)jW024h_cSZh2B*p>s@D(8L7RRT;N3dM!4~QeecL(S%XN6y|N;4*Zj8=s!z~ z9hY;fS&lW=bitqZLCkC%$IXpP<9IuuKMhpm0p}duEJ$dw{*5tBIn{WJMbX}?5|KLt zij?%ZM%myVkp+Sv@x!qda$FY>eV~0}F1( zehB~Hec57-7TaL}py~{VC$3lhA)S%JOPr9DO#6g!%pB{IxLxvD{Bi{djHNvkPTzOR zXg+(fMe7%m(3LbeGOMMJIwZpBws4E46hIBF|DWZ%C6FrLgH`|05&j1N7Bk}vblc52 z5)`F4z$ByI$+QOv)Pnp{u41*>+U2-&%xr%%ZCqW1;1-QmahEX1Vi+4F$&HT9`BjF; zxFmLykSx}bLPLt=pwlH}AX82VV5DA;j=BjJ`+Shqfe~_56<(fwuz_W+uCXD@`aR!m z{KQrrwlYLX?Zi4gley1l_%l&BhD#95iWgKSrOak>J5<0)v_hq`zz;9q-tgtlrO3(^ ztON)p891|uFIPW2rnxmJ)p*AA0h0m0xlvRT!tX>@0Nnx0l3`#ZN@Ka0Eg@rn#(n{k z`-`pflX}04968D)G30xW+hY*r$?(Mp)1B8?68@7@Qsrm8izlV;2zxm)tIj==lYZ+N>fZj+ zO#LJSjM<3-77|Uel#C&cepOh->Pq^V#Ce|+o(9;fM4(+3)i>iK^hP(YM{1$x>IDy! zivb78r_`OcT}FZHy(XNL6{F@=fqkWxscijwz#&<(IM{tPvq3kn8fKRBIQ59;hF1tL z7-gss7Xza!uksYQ;YgSS=V(j=y+K$v62Kck*wrax zy;r&X%`uRy_Hws57b)xlf*=rWQo(#ZUbH=QHq7@K(!89LTQ30YIQ}Ku2(>oA%!M3# zObU2vmsl9m^b)tFHBV-(bVk1>7LInpO_f@yK<`VfZIc7!WaTD|8cb|hQCU?Y)Da9i z#i4j}{wpMji%`Fa7t1Z$ns*}}P)n$Z5CdKazQFF2apliS9=kmcgOovJ*Iy=5@w?!G z7;ih)El^E1DTp>C6H)_hmqJ3Th1;UCiat*yR<_1gGX!;9Y&EZC+n{-SEzuq%)9p3l zzF4*W%mqH&L-7vc5cj`+ro)8qNteEH2(#4m{pbNzVSxs^U=3Kn;lL{t%y*)Wy zbq&5B9?s1p#^}wEN9U=S|CERm4}g7Uy-rUS_CBFhL}r6l>y|U9M20quk@7$P2zKY} z71J~@ENEYiFIO}pjufYC5kqKkZ9XqR^9ITelEdZ2=Zk~)@85svr{&Aj^_RbF?tQuV z>tCK)ST%&Aj4B|c;AAgd@5*y?u|09#XcGcQ7g}pP0Q5rS&mI+@Z}IP2$nMYgmr6ip zLJGR3vy@vWm@pEG{20o3DJrTzos(WFpROUoE{JO2ayT9HHvzD>Zk&@llMJepfk^;S zK(4=e%06rcU`ZFvhaA}QTe1X9I&4;m%3gD1N87iWZ;&@J_PdaFERz zxL8XeL3g_WWLBfIm`qiXZdE!4y68~-f`ivx#bWDv*qX?gZj+gNkw`6 z5-;PT`l+ATUCy==sOV&HR!dOc#T}J_FC`n3upkC~Hj-s|$W_4~E<{IX24L=~i4s5F zwJ|1XS07H|^El9KEKsC`ksd@8+>ucMaKJ_2;2MpxXvP=|B?8TV9c94&WyhvXU+Jkc ze%geUr@fQJ16%yGf}@|doUDwbmpDmEIYcA6t8?cFM&@afrhsWkcN0NwH3n)JGk}tU zWb;fmWSPhqMtr27W}f{NBdR)?P?u?`@Rz&IB_WN96*g)e+|$(I0D)vrKm^@uYp)A` z3T`rr4iS;roG!1t8iT2Opn1Lkb${bY_B+g^)2h ze4KoV#|9zayTPh{Z}~FtZJ!YU{$Y_=pLio5ZGkIZ=I&sa#m_eIrHgCB_`*0xS7pLNe_G*>bALAWzdOt6KU z0ZV#>)YO9cJh-vNW#%MzBls=4?%Ky0>oxa^xI`}{1*=dqbF#jKVH5rV%=eS8AOLW% znTazV_UU%IEj^+NsaHX+dl3X}x-o6J;^*8mt1c*&CH(nJElY}OIX5oOS$U)}C#r6A zdJ7(S!qAPA0uu}ls8G};|8A@1?dc#-b_B6<+r!cH3QD~?7GWP?d131rIqo1-Y88Pk z5}|h3wkr1-x>z7%F2 zZ`W+)%ixEpeMlnP1Dt|#bzvZw!ZdE1eY%!byQ94=K`Or?Ap_z4q-jk_16ap?CZh8= zzDFB6mN5D|bqjTro)X*g2cNS!ljJpu7))sxK*zG4P7lC|3n}a_*G_mpn=5G}>?|4# zHZNC$anHA-_%HirHlko)c!^Ph$5IyAp`jJ`IR=l-_1JaEwg|wXdcZGRx1?2zO>RIw zH6_toOK=L=M$K9_9CZA%Z$&veIzRqnl7#47VuFf+wKQ=?qq$uWp=yp@;iRK{2c&L5M%&qOlv||+`$s= z2)KBVe0~*lP$vWRCb{rK@2rs2;v;SP)FU3LB{DvfrGy2@a4#S?5NkFH1;IdBW>*s0 zf#Nzre|y4%+%_yw+L@bE078ZR!P@-Qu)TK2Xf9z&0PCfZI90Ay*YKe1dcG##1_M0( zWX*9LMD(`sE_udFK_Z3=!8r~$Bw5I5O?KxzJ4^iT`tHxzhJmIm9E14)m|%frh9ze} zSb+W#AzE!lmRLoDpl5<{O}d3Rcq>b{SruK+94h;8$xc566NEr-*thbHFAxrdBVGT{ zN4gF@+2{@z>-v`Tz)gYf-t9UPSE3sL(I~+cj)X+=nppc+1NH}dO{bo8EBf*Mcn40S zi1OC?4n!=j9mvOAkQVDh=%r-*%6BdE>mCDFSP>Qa6TqJS2#uveFJonC{9Vsrd)^KG zU>zNF3nCy9VY)D8gXAQpQVjX=v#%aMS-d@ei<*clr&|5sLpxd>b952l>1MKf|Nn@4 zKWlonrzgrC_Le8WB;wSP-9@WJNqf1*Z5+VWs zLMZftET=VM|v`c6+y zF&WFwe6^0HX8aM!*rjj(b?Z<cjF!Bx1MAYaGTdXB{t&AvEI^znzzNIl~R>0%KpUC!+<_GNnda;ff3I0&r#F^6EBmeA7zFy1?sb|C$6`yIx5`c!i;cl^pm z`>8#d29CN-EvT4VwzaW0%qDa$z;1X!YD92>`) z?8pRA50y^UDONc>T~SzCoF!V{O@d)pfRS5mhOY`_RBtf%27EE`VI8n+2*GvqVu!!W zDiicvCl$e{tfR?sKt)=CM%(c*4Pz|(V`qX-OQ(qh56S^8{9{{HgBjp-0CNz`TNF`* zTt_Iqu_o<+l9o0e6d4$T(}YK1Bml*`07bxBun>S5I+w5)Xfs&AR#~lSD5)7wDJ)^` z?fx|>Q<=AG8*q8>hk%&kkW_?tfZ;c=?{I>dzA0rSm}5ka0Af&`^6_d!^>x?dnr!cV z!m$z~cRa-zcFX|ZhS7nF)Wbm{VZ`z4g?y#TTMMRmwH&5+NpZxfraSJ$a$^_RqAd_9v$Jc8$q!zo zd&({O4h-U;`H&iw&uus>QUF;^G0myC+HzSNU0hh6$f!yLChA*`HGd;qj|6-cfV~r1 z)0ocxlM~9p8Dm(`P6|4((}%byoakI|7b3Or4E{y*FvrEc9QYulwAoPlq3VzY{=exT z`7p!AP;8`>`pX#(%O@>?(mqEI-vO41t;p?d2`4fNEtV$&8idHkykM2DqJ4%NBPnS?sO zBnJ)xQ#gF4 z{G`Ey22v?nwPY?YiJAPU2aBJ?jS(3LN#6(shYcDu^GQIPctWuKhZjeEbWDVfWf5>W zE7po=eO)Yc$}uM)hT~tegilafb@M8MK~E{NA=YQyPwN<2mNi`8`ykfRA@n9p4|3$H zn)C8_{U`kczw=D1s!VU_-Flk!Kqd#;R>2Jm7Ku?OLneE+r1(NSQ&EahmpHGqF$4zT zG|7~b4~L>N&m9fSDXOk&7*sny*zG*|=EhAms^XCb_Jrxgt@7MdfzEfoib4?S;*l}d z?c!6Yyw=Vt?KUyk#mIn)p}_>N#o2Q*s2FEMvuijUS$wQ+LG7aQNYw*d(|d(E$8!Pn z#AXXBC&EcltBd=cTD;H=hrtb|N*IWudRrVAVHdnF8TGXM_?W0?;zp&}#w2sCk+vYB z-^2OraH$h+;p4(qw{cL8aAwIQZI~AQyM>{*kmN-x2?wU>_k{1uCV#RP`IbXL*#5_> zdV{-iP~K}*N~f~mxqis%g0m0MZ5(`#Vs&yKJ;SqRE=I6(Ie zX5NtGehwv=D>6Jj1)Q{%RnjoU?bEyQu9ReM7k#K^?j|=f$A>i&Phx^VKCHh5ILeuG z=MQ;a>y9xmD0he3v9ZbHS#wj+;c#MqQBhgBEfwN7mH7c%u zKOl|%GKF<&yE)E?RW7kY1uDWT3l1~aHR1TQl`I|VJg7Saz)=_D{IbVuC7W`_ay!Pn z7LdFZ!9be4oR{Gw=E_SdX_muslmB(I^!BQ%cz<(aqed%WH~W~ju-k?oSqfBdDzwkC zyef*OjLCmxKDb>`J7lKXSlurAjTBA`)Nn!kawkwK+f{KUgs3>-lskg^V5NvULAui) z=7>h8-o;E4jTF54v(L#O9vBD8dm!76$M@p2Sg^y63r)z(*kIdNeTv?O&t2up9o2q^ zXXzak!|#x1tjsQs2N1x>4(WPyAlR7|e#J7T5C%s5h_SbxR3nmTSn$63i!4i)Xz|U| zK;AGGCb+P;fpW(@&cz8?d$unZlN9mHSgY`x2#gddkQZyIT3a^U>~?GX3f^sFp7U~h zuf>{OiA|V8%J019l6!H>>lNqJ;?Bl%%U$niK+~6NF_eWSfcrqfk;N&UzCAokTlNGG zKx&t@FGQ6E6vO>Fx^`aZP~=YxufDMgqcr8+O{R<7lZe0(yC8c5{a-9hDRJW-cDKZ> zkD+ACp29%Dm0L|-+zm2SU@w9-UILYh-)FYVsbnLlV8U`c;LlaC&Eu-m@`qLIDm2 z6(c!b4B~2dK}0R`4R1Cm2Hsw%Ju%|_?~G?|Cm67`YCPf*Qa?b%8huUlTIk*}5{yMh zu7<%pWkPK@w6k)V_6{gV+7BUDmStfSIMHe)K#GE{W+%lp*#DS@lVE^V_E50;0@D#n z#HiGRFA-T6A^_N+Virx?!+Jonuo>S5PBfWMCIZWp)P>zMEBR+09>|*^@$Fnx<>sNc z$Sk*Ds>S?szZx^2Hq@aWW1acxOkkOKE!>Rhk0v%|3stg(RVdK!<@Dz?poW)ZZY%e` zE3D#mI)k_;J92gDzMyl=__lPRI!7{K0z7>3G%Ba>{HbjABGI_`I%Ek*Ty(#Pl6Xp5 zLAe2~cQcR}(}iwhtmddq6R)>zULIK@_Un>$`GA+&`!gf=2uZv{z;=j7Qjg~PP;W)= zVS(b7<=2XuNsOv2w@Oj>D1@6DuqK&EQIK3|G3QWNr_GGr6VsZ7g9Y5(APZ$--{FAX zv+=MG9ABi8bd^L)HX4QF7#aW&UIg@zlTlf*xXNplQy$UfrDsE)Dw@PHdT-9`$!F3G zRUh21#cfu`9TY*$Tu12BJEMMDh0tBZj?dp%%*f8fLo(cu)+z%9{tdT*Ol(9BERFc< zt_AGR40Vf`RoSfpu;}^&_#|mQ|Auubsxdeb7W{RILooGQv#uhX;*?GjpNm|@{|_7 zf}6zST0j_*2(=ZT<_Rl=VSEhB@WO2y$p)eTNW_g9`6^1_FQkazcB|>1Yo-1-8b!nq z1X(aZHb*Nl-H0k}j5z1a@jt=V~0#jNJ;p>MVdFmC_dQ;ZGt~aJr zinLPn?yNhQ0<^*DfCxePqT7Gcx@Kva6V0u32z&W%vMzCFy2bhgG9}vuZOVchJr*aW z+=hftiis^sK@mdLEG1#%3qyKzgC;7beG^i1HydLtEVOMpMd^d8$C;Ud1}Vugf%Iw< zW#*_U(9lOr04KU3o*AgYg+k|S#*!G;`UC;=kc!J`wYV4jIo|um=xpn?Q*F$|#%gAW zI4jLWO=taqKE^=mnr#>T@DQLny8_?=HTjATBh8LiliN>56p@NJJZ)Q;OGM64KWo*Z zr90fgqs`4Z8f-1T{#$Sc9r=g2XGV`o6Nt^r@Ov@uvif@f@z;5~yF|uQp|(J1@ct@w z<&0_{Ost%DDu#?dGy}O7uT0^8)GZ)|CiW8R>k!#^S`YMgo|CxrQ+xdfB-#FvI)17`~f>Z_i+kqKfqG*>#5n_{a?y zsYG=;yn>#dQ-G<(ZVA4*d~dPeAxZnK z!?nJ;FF=Po!(?9SMUxvR-eEW!6%vQCDfX}=iVUlpoy+1Jhi z&*V@KereE4qocHR8H=mIjpU$AlkCp9OOQ`Cx5kFY9m(y&?rjt2e zn{v&@hI4zLYS~i8EwsbTP32(|QDTK5L4$%)$~x1NSCiaC1`{#qP}d7QlxxubG2gPI zl(xh&ia%>VW8$#BNyW#qHrvsbC1?apHS23?qalGL8RJME=xa#w= zwxQkGk;KL$1k;U3kUDH#BZ&DLGQG>ZRDLK9(2nLLO?0)re2tr3qJk>YtK@yS+mVf@ z=g@(QLPkzY=a(nk867*%*I9#d1B6r<4~9IO8ON{B8Q=;=8{nHew}+QvaLQmLV5OA9 zA6zw4snux7;M(M1?vZX9l&S@;zt8$PEWBA6`7*lI#GMReMjy{A1gUALN~4qa*$@s* z>25vwh0$b#Bq%oXhKbRNUfNes^vbR>LT5&)?OV8giXHgXGr)a!urJOL$A0$YNb2R; z;gNv%wX{-?F}$63A4AhIh7H&U`}|ap&gg8tV!wHaubM(;V-S3uOjWYj dDU(}T9 zo*r>?quTaKGIBgZ4tLz5mn?B_cjo1dRPI#&0j}~%1IYk zUtMa&7mps7o{>1Fx@O{!)G^BE6Klq55F~ha#4J6p&uf@(QmuBKj&sKWa$)21Z5hgj z_Z)w`MAZ$tV|PzI42f?C8)Oj{o@Xr9)n%b{taqt<4A8mmGcN{Ge?;P(Ofeo0ECj9G zDuH{uU`DnVT9n&z>fNCKFQSl=U#a;ml0`+>r~F$2+wLpP6?vFQ=g<>7BziYWBR_VQ z9d#1#PHi!Oi}3pKl{X%roR#^*yLfh}*5m2in~a!hn2(u5tqTZpnobwmg;nweg2}p! zXtbiqN?Q@u1jHNihU2>1u?aX=v^h2l<3d23xJ5|CkDgX# zqMG!m);`>6iE?qqY9c6jOqV`+e%Ot!l)Yr+3#S5)qS7{Du0B?Gk=xE8HC9A3bqmrH zBe)qkEn?nLq(JP$2teGfh^qqbEQqH9UCXF}dxc~?s>%d7QZ|##pTHh>3hF;ZAV@%f z${updQ8+ulm6KTMHgn_Q!6C!dMz0(l2o%mmcJDgQ-%uW`q{V<=XS81XU; zhXEby%E>B5(-j7Z5D;WkvL(G^imzMJ=co{{Mp5~AVJ4(e&rVet=`>csaQ$|J_+n34 zp86JLbI0K+)ioNwD8e+|ts0!dD=?SCs-k86r7^{ z&Orci}V6>kMZF1W>4AS=Zgd8O>&6qvo;S zlPM2COW#FeH5}17x%6N$X1OK4^u7m$?o-g@7+f@5m3FIo9oRJ)lWqSk6-k@ z6y+PkMzpvA1*0o~9Dh08w5g*zGMi*#OK|b#@*Bk)8pQTIN9R%;D|5=`Zwx^%%#@Y! z=+RN8r>vk{k_VU<3cEq9x|nB724MPzq9JKNhlD(Qx3EvP)|CMAP$YVwV?$_hPE95A zudqF0r{ysiTl!}4pX=Abq1UUqI8}uYd-he3Dh^M6TG#+Vs*^~>sL>vo9YEd~@SiS% z?!&()_uWF+P@p-zm16(Tm+!B;4f^^^yvt0PwmN3dPMnMzJUc8N0Y+-X#<-R6vF0%B zrZ&1&`{qk07lKPyp6UD~_E^_9L7S1$zLnO9aR;}8YHWh_jVaOSrg!g6klACuSPOGe z^3zVi8{(O=0kQAY()3NnZ;``>g3O&PqRPO1@HZ$M6vwhmn$5d&)XUI3VosrS#I#oi zpO$~xS90$K-6sA3$s|>(Mzx8_@&RKE&LM^~hk%Y~PZQlzDmTUR3*c!yiAbQnVU2>gf5SdkWwwjbba=JQf-D6Qg}d-FAySR-@dGlHTN>R$j$D61j8sa(PyG zphcSQz6VoE;J~TN>%$087R}yT|JzC>y*v`2rC8!PgqCr#%?h~_G zpc;!WAg(5RwvGR+>=9lKC}0yySUgqgp;iy}Ih8RfjA@o#e@RRP;WtSQl7gjJpcY|n zcRi)UQ%PRarAl)TaWJL(OW)zfe<@|i_Vt(xZ z1?LNqAwY-d0`M4Cr+!dEV9pFU?PPh^8E5Vkj|^oR-)b26!Y8NS`en7P5!~nx7Vz6?Y&ZS$EBaj@Nv!COGzuPQ%U>A zq@Y_XR{QbAdP`O?yYu7;TO54%D@sdghdh|p*FEIwy+>#Vyxe#+(p^g6lRJeb{MY~X zZ@3CSAb$x+3s_lEG)(UY4fRAMO3ostC-usy1n0%GK{WT<4km6d=yO=-b&b>9+j~1? zAZ5IwJ54q6|3`B0%R9@#f0-EU$|@kob0cJ0cHaeztvPwXK*82CV%|6h{{>PUB{y-> zD5gLlDBfbrCeWI zcpc#F+96DgkwPdD!{4V2YEJ$4sfEr0WoImsg)CZ0^r#7~6WXIt4$sNi`RdK0`TUE; z&*vMpdyGKM1GYz#3kq~nc^^2bqkBZZ6SmP6UQEN^z8 zAatZ^cLB9hKbE=&44^WDTjO=-=!jfUc$!aM{Kw+p$qE!m=P376`N)5uyEV!j7%pYs zI!4Kq#V$lps<S~nHY;1Gy_boVe*IJk)8 zvNSC_;F)Owa7VnJPA&8`%%2g(r#4-}CK6afy1 z0$eFxTzcI#Q~nX=KIVnuo|46tr)@Mk-Ai9W)j*Eq7C3GI+DVG0mx_9FB?i&n&H4M1Z7||xtC#w;x7Q(!Qxr}%_k?XyNaKMPmG~R{o2^o+-bBEdpa~B^IFTvp1<{xvj zs4koh358CeU4((b|YtQ0!TdJj5wd*3|=fG6v!mq?Cngkge|OCf+L3z?#y z-lH74cc8Fto47Q3_x4w;rXF!zXW_W-8N$hK>}C7iHPU5(Ku56P8bNxL)H-Hu-bY<)5P+|*<`0-$WwM45G|-8YBJ#q= zlvg2OBsfYndmXzn%Jk&jnVo&L%rqydUtXB9-5$krbI)U!g0VZgG>tK`Hv+x~GR$K+ zFdfT)LdqYbZrVgvN~_)3MS%dLvFEuV(jYlylbLS8iNUjvFeagn5qrelJX_-4-NrgT z3b<4pjIt=GsU|;il6yg44gi-h8%8Gm$M4(6nD>q0V8x!d?^$;o zzZ;*gR9%<1+`Fz5<_P6L!tyBfO5bwjLcTyOnkDzrF;2~<)61Wf7S!C5^nsj+IQ9Qn zUY{Q$zmAH#sHOX+@1T)>&3F;IHm-a=!O<9<9Gkh}YI}2pZp?XhL6m-gVbJ?!=oj6y zH)1dF(mg~&(jXrDAfjq`$IzeJmHwP-xMWq!Yk+d2k1+1L3MUWnE&hXfDXBj3;8m$r zbS5mwY6Qtp93w;AG8o=U5M#6lqExqt5M2mlM-aV5_9G;l5+Ca;m|d_(th_JA!rglI zYT-lTqdXmRjfJ^%OxnT*%uinlXKdw^Pk{Pox@_}d=N=x!Cf+ONh&$>N0aygKxA&N{ z*k%M^i1^|e)OHpnqlIb^jk)sG*G#CxDx(aUE*1+}J|999P@2H@l$0l^y(hxmdlnue zZOQOU+XSpZ8e1et00X?_biIbPolytx&(5J0*vZ@as1+lQ{HjC2Kc&U1erORsM7mf(X=lFIw5K66$E+a?G~0!=(S@*(^9$ zIx-+n?vlf7QtbtoZ<3Sq46-a+9`*#N+ryq!0?!mSUwJo`jm@C+C$NuqA7D>ex_45f zsg`%{%+D#qk@i{daK#!KmBbK>voa_+KH>Yoom#SiUN78B77mwF>J2UO~uKR3jUvC7~9s)XG`S z8F0H;9p;jts5xRVv^AyJAHP*DKphW|G$D7oxc#>V*aI96SVc-PLO}%rO3P(+saW_d zYvl4_SFk0eZ$9F@>Gg~cq9a#LcHL^GX;f{x7lmW4zNWOY9jwwDP>ZbRtKU(2Mq zdtFgK1my4p$5#*=65AwS#TW;~GPPu!zIOPUc-07Z+?5?n@_igQx11Pq|ATqtDZAvm~uDe(20H>Q-15;97qeAgJ-ONvU zEBDYY-TY{|EBsegWjWgv;JlyQNa|BHK3p`_5mlNY@yAy4q?np{RiJfJG91Q8l-aHrC-yt3zYX9c!9Cn)<3I5KIZhUVt3`fo&p78Ud9~K8c%c6rChKcTYC8Tq!B{_m0 zp=?Jnhg}716V)kzocGa4%utFtc|LQW3V~>0JmTi|Dt+gZ7_}$X0hnlYOP`y%PLY>_ z-R^U04StSxD(IwG++%)J^a2|yV4kOewWYV02t*rp=-!Vbcksl{Bq}B^0E>M|-Yl>8 zSOY3$h~?BNtOmlu+u>=>i7d(l76z%Y98M4V;jx<{jv^8@=txBjJ2H(7QG7vqR=DH5 zzJP5liMFyKqtX(5;&xxy2$Z76&=`CQu9oUj?rg1n&lva)TqJGf+weZl@mZ^th?K{Q zdyGa5fEP>jID3n^0GJ^7p8iUqBU~}(TahjHzz)+MDX)TP$MFIbIRIt8wMda6=$5DS z<{Wh_R*EVM@l{2+3jtxg#7#lX4ofvKFyvt^O)`{9C`A#s(f`x22!;V^42RS+lY9Rf z0BBE&BD`_QBcamI_CQ5n=4tEAU2i7qe)#1$quG} z8)@NkPVkZ{KNh8Wl53ZT{Q$LzVzelcutx=jbyToO<*8T_zuX`D@_yxPacf_Q7rA`+ zg>?qujyduWvQjKt}IoYT{n2XJ!cx2ODWLsOg2zd#s zaO|Z_g{{J_3GP74a|fR94DGhf#VYUrLDI3q8mm|9O}w0 ze~x~+is6Zb&kZ*^$5=(_$GO%3Ki$Cb`fb%6m>_IW;-dm4ore7ydK$=(e;z*i2577E z`%llqWrp$ZMb3lt>)g$|^Rn(zyRF9U47DhksI-c1y7^^FM>{UFn+)9%c{PTn@2$n- z`HePrNI~x{B%mA5TZ@TO_HKF=)$Fqn|LJ0!5LcDS0Qsn)K3<@qC);iHDs>CaT}1Fl zwFT*mMMLcleVCt){sDL7l8wn&#P^He)W=WE6n$c~%Ka8wi24Sl;j%U7 zUVgT|V38r7DhX~wu9@XYR|zNbazck&=EcGcBO(B;9)&(wSQT=F*raJ$%yxYG8*(|~ zwm}GWwq3duhiF@!VNiDXbQ?ziJGA&Bbek@%hd30X=_~z+W^%^CXCFa0 zoR=|)wihypn&0C{!Ak3mJOOT}6uyM(j)d9uWnY+E3IlIDH8?T0yUvj?GXV(=xnR3o z)k=(m`>otnb2m^>e3#qN-CyI-5n}7`0t5)MuFHUroLcn-^QVjN{RFdiwo=4Ged2d> zr#^G4tEK&zpfwrWHUhMdLlI4_phsm%XR*^ zy|I5$9MEHRGw-?O9fg{jhySIh@#n`p>$mKfBLdqyWTpg+&Nb6CrJl$HLjj>Ai6MlX ziJTA-(@~YO^hN+WZStoPffy={8@O`4s#4#R-2N%PTDu7*V)CL=d6*zP5tedYSEX=w zGX2up;?3zyS_-#FFV-sE4o$BV6kX+A#XxZ~l7#B_(D|gIiX>XISz7nDRdpKdtmlaFnOno| z?dAN|ti)dW%QWdE;x<+?h4_6e@Vg<+6?{iVXjCl?iwD4c<@~lcAR@(eK`IiaZ~zGB z1TiI%VIFItRroQ$7vQ4kVE5MQ9n^1*W6!GM(qhVL3+Gib*`rJ;do$&(T=-L12GIwA zC6R1Bahq~KI(mW@(6x~17qo$5)dlj>>{7%O7^31NiJ96Nq>y_17V=fNuR6P8a(tX| zte7Y+sz-_^F zG3%Yw5@dhiM^7r^_c(>BLbgdpB%Kv4UQK4TTqRl*v&QFI>ZClq={W!|tbp|TgzGKW zMJU%@`R$2=J)(j9`}VW1zxnK|hkr+o80UI(`uf|?o<9AX{=+|Sp2DcJ?>$21>U#0R5$RxEayTAaj`C<>Ojq(7y<32fz z_^XIR*S1X9|hTA0ke$%PT>TCmoiBncmtp^iu67V&gYJ#~pxl1YCUWx)4 z)?mxXHP!@8&*+dD{jm=aPQa!zt5iYX5Wib_SLGPJgFrCNVEamco@5p*D+S}l2L!6Q zj;0DL$hpbd*JuZxfg=_h5JP441Mo(aQm%xS?*L-(Qnu-xLD5~Uf9ww-$s^B@O;82r zX)HI#n3p4QrI5Yw7)3!4xcrtkFUDU{-F>kJ2TOsm!t5C-c?NaGoFL@R1ipf@D|U5+ zTuC?F0=3;Cd-{kYxJMk7iY zEoC&_k8-NK|J@f0dC}Xq_ixtssrCKxBP4;#;x=7*rfn`V*LEoAP=iFY)^k-neV>eI zn0*v`_Yjx&F16VDJ{#Ti;V6{Me%ffU#;`PvsL8~6f$%R9OQsjzQy|yQuhM6K$5x`90W!J;vAsb>U1TH z(EnrZ>zd;_lI-3Uq5sgqmjxq4#*mbDymah1BucZRu)Zu(;|GTynm_}@5JbZbHX+W_ z{0KkTe{X(?&pDY{m36CbcZ0;p^RO{1qPuV1s;vAxc``4-vnZi039{h0zDdQcf6Yk+ z#2;mi13|hJxxilcI<*+&#Y)Tpy-#{33bivjWRP*>Po*>&wfWoidN7)(!7fGWII;La zY`PsVZjPN#9Y3svO|i07lB}V16bf`yRRS%WKC1Qy;tR53jr!0;T8v&@_C5&?$K;w* z4&_DFiEVKx36=`@3HOd56QwFs(_<58l~H(&)gk5@PQ|7dO%%=m-hj_mYi^U~y?5sf z<~sTK@$zgfQKC+pbVkU#?1eg!J?1hofT? z3Bk#o8I8nRUOeFB0!&#f42oPks3)zP)XvL=uiF-nC5v#Hukti-zhY@L;er8k-ZL`L zGc9wn1=6Sc#TbSYwM)Nj5oCKArEZ*Y(UdxS+#MI>KGEL`_2810l0lrYTW(EhE0%kQ z)vlTIIs4tM3?u`fhN|nnzzSJGx^*AjzYe{bO;`vcuOJn(k9=NZ=@nf_udlJZ3> zEJx$uA@$XLam2{Skj@!mXoYxVbu5-4utY#~Hvn>Uc~>}A#mV1QH=0g8aAZyXJ)`~O znO6_nMhv@7fP_^qo1rBs+MrRDt@#g21b`_DG!W$j=PXy5CxT3)xy;@-oSnNtk8(+uw2+dK7ntIO z;((X#V#>l^(I@_%$v~dq2C)R=-AnT6SfXeoN_`Y3i7W{R>xrbmG+qa&`6UeYUNU5t352^ zyEAZPo%M;{P`%B!dJlfp#=4p2qh*bL)(`lh+zKm|tMRGj2G>qH@t|IBU;c$8>?W7u zaG~h&YFcni-*4}B0$D6hU!Nm9S+&2<$hA-maENvZ!?LoxeLJ67>oti|{k$CsgIuznZgjy#}4bz)S#S zg=+~9ZSc5iV(m96HdAl|xQjn(yyu=~2?G3;bxd_>ltbq-A=01=7BP^}A~*S)M%s2kB~G z3N31$-#3bgQ;l7eSQV9KW!$_A(*sCn=7HtEj|-TRm9P`Z|f_d;3f7-ISV5v=5qTZix~o$ds$ z+&8x?Ba`%c>4pA@@K<2Ov~g3sH9bv@@;(l*bbhq{_1^xWkYk{kPv;gqU1jJRatMZ2 z>iVbCzN7*IbcF- z&EUCNY6o+M4;1Q(VVnFOuhay+TBeT<20yxl0$gDv8rN{&$k66OSs(K}UMpIHJ1c+( zo1mu%!Tq9XU@=&8QR)Q%yn1-{@G~UyHsH1cTSvE|45OPU#4eEW(IVus*z?iR(%z74 zIM@u7=P=HN!p!Kq=#8O3fb^>+&fl{_af2f9%bSE^;|iHnqi=&&=D#)Jw)xEOK_q(3 zZd!SY22@ILWECnPL zW{qfx!7sYuNTCdVMPrw@F<^Yo%y1d}&KuBLf=>){Cl{Z826)V7iGu&ttHqx_kMTJnJ7RwtMaK>!- zv}#Q-8;HVgP!9m7gDOLZnse{iL|U79fI`6i6F zB!LvOv_ahH?nFg|Is6EQnQb+eD0}dFwYq}DcCVAsv>H^1+iaL9ku0H-Y(eng!I3wx zdj10p4|7xv{SdN9&N-xgCG(d{gyP2RI=S6glTR@&^uKmc97!Lkcz}~9{;trZtmI*+ zI1o|}jU>oC_6au=Me#KvUIM3lW-t>wV_5yHr##4%YMvvY2uw;B&SL!Z0KVvgF&#=Y zeVws;Y$}H18ESfIuE#%Wt>2fpoMKy`hQ`n%(%!N24!mR$UdUn-5;P|hwZ-;8dOuU0 z3^pVj=)R{5WwLg~4pM@u?I7vNlT6#$1QJsfnE3k&F;G;Tg^PyU01iG~{8uP}93F9}_Jv5pnkw?9xPIyMSZJk@qUwrsiN?vd&=L#%s~onjf?(l$&SP?8DUDKfZM$WV2~3yrx$9oQZ}YRoAM`& z5?yaV%qd?dP`M+M3X$+7b=!1k)+#vrIP0zi$By5v@PY6b;efC`23TRb2&Wh88#fGA zd(f~-wdc$>=;Nm=iv+$Lq*?aJ&d0+ESe0h6e2GpEU=}h;u%C*B`V|V7Dv$X8$3vvo zF++6EEf$$DkP84ryZ&lZNio2lJ)2^3GT#dF!=_w?t6by;$T~}BL732JY59mcUaPKc zXX!D$Lccb{sZ^9QbRDU2#y-dBp zp24C|JC7jqu`wf<;0GRG*`mg6oZXw3E2L4*VffMgTRce~QyuqW<($Mu@1kEcc_Z~D zMEb2ozPrgOE=VqLRKls5>K#rBP|-K&3=O3_$oHkewzXxk069R$zqy;-zqt9eI_6i> zq`iny96+~xPqm~H_GHOKmsd?w70EP2%RFY4Y1B^-+H$J2rr(c@f?t5XLmXHH+duHI zZjs9aYaYtneFsyi^{SL?EjF(7_5JiVZesf1@H*-wdsYk5-M&tLqI89uaw=EQrO5Iz# zH8bTO_+glYZn={vz;l7RytaI=4-Sgnx>93%G=T|4^~B#*bw4(a!-m-Ho5E_9d;j#4 z2N|ji7swg~P5C6*Yz{jvT#{ABnLTErj zf!h9Wv#TLF^7eLa<=~2FfFth$<{AC3?Gi1vhtwG5IT#>QYE5S-N|Z4 zN2UQSc*Fe>XsB)c74Ae$xA**kA&@}0NS z`$BP9-Rtu+bEgbzpdQ^uxnS!eD{ND7kgg0je_}&WbFs{gn<~0VazL{{mt;S;pR}|=s51s@ zC$9s6NdZKZG*C7<8SCsBrz$+k$5^JQs~JsSsGJh>XgDeBheg4H(*QjOy%SfLFG80M z=mi~H+R8dbp@XlEMcopzLZ2%gOY{pOhdD7Xtv#uy^n=8`S3d-48 zkXK*Trk+(0eCn%%Nir`u~VAD(f5kSLXvxdoQxS8s{mPufsZ$4n;1n_btchyQ5nCvvF<>ULy~u z$rcfV3%n3Hea;IurCG&Ps+`{vX+VCD@x~&Tt`Aw+X6nMb>yR@5oMR>cI%LQl3=m(H zYgK^Klb*}?( z(80aIAQn}jVHb?(4yS#^PW4Cs=}9m2llQ3i4kwNwN~?G1oYF)Bu(bM2Po3a5XrI!^ zjDipl3gSB(Rx--I?ONF9(=U9f7hm?upK=Prq2e>x+DmAe_^8$8pF98l z3!)$7Ym~S9u}OsS2kf2TMobTW@#~w5r`I5LTmAbz6)nJSckd4iTWtYJ^C#fh5M-b% zR-YrOSs^m&?(>qAuMmI%wlZ!f6}Y=gY$8iNVhU2z@E;(otAIX~q@Y(Ct>zv7J~d>XiJewa%qjzys^Zg>4r&0wADX|$aU zxn{E;jlUgY(;v6L-Y&ElUEvOK)Licp7X}sd9f{rx| z82oH>XrtR#{(viU>IR&Gyy z+wF0+CzGBz=+%p#&Rt^VDIimV({~ma`nZH}k_x>{`D~Vt`~faa#~+Mn<`H(?dtJQt zZRAycYpJ~(p*4lrNx)IMCs}0Y(@MYD>qoGI!U-m*Axr2|2Xp0_S=OrFq)ymVw9Rm! z@Yrk4?u2(b40XUQwTr4IMNv@oR~ZiIY6LTtXPZ2c0C6{ZW#)*|g&D#6>-_Mg0^ENB z9KQyl(N38Kf{|jEff+5DD+wy zgK4xalHpnEy7%~R$YGvixQM`_|2*eJ1kc)W)XX$Q*XcRguaJZH!Fz%=mJGTX_)!2Sbp3vEq7= z2TM(HWtJIvjN%9|_VXGgRKaFzW2XV4z?@m*n}&`u+H~ISL`?bc(@*C11PjBKj231q zU@WSP!Wukk=P0u(RIQ!8TKr(5di80!mdZjhw(){@6^O&sFPk^?bl*Y7DSm^Z$Ibb2 z)6J=_ld*&YyFWDbtXxqhixY6DjUSLqSY7cMrkXzZCipB6a{AFfZyk^bQGknPGcw%I zv4cX-2oUUZ>;jT5t0*HBnhB=B4L;KfS?iiiUBJ}GoNRJm82f5_4r)q#1mjH1*RJnl zP7ueV%Wp%Uz&Z0{{K_bJ;OamCOKQxg zc6TE}DzeKKHWR4bTbz0uh*UEjeZI!#EE6`TuS=C-3o z4MO{>MU~k|m$lmA;PqZ!!SdHkaP$_Ysh9FULg}_yHaQ#|!c8};(D^F=JAn!T5k!D- z0ho};d+D@=6Hr=IsnvtDY0KAyCJE)@+clNis`$dSWw#a<2k5XEf%pnw;>C3FtzL3* zgoGgbMksP^DsHw*2jCg&{dx4LZ`e5m2i+@v8-k$jqdm|LgNs`dIJBn*w0n*^e?7+$ zRRpzlrM@??0CqbgM^#&J4fTcG64i)tb}6M=a2|LzPuLQMQOffp>gz>7sesLGeM!}1 z0@*ijjsU)Qv;%nLAj&QWF=TpZ?00YJXR@0?aL3<9kpO@{<1sG9+YWk&x#%2<;Ss;J z1R$4Y=}N!NbB2(a%EA-ny3D>h5<9TiV3OZUjzD)DK$+jM(PR{}{PqzW1N;*6XI&kzQqHviadBsjK?^a`W2Agn!y@uGXmAO!qU9 z;LnLVE&>LePQNJkKay0Ist`1EbX%t1O#+UG`mAC2_+p}+d2<{F~5&;?3?@|MY_X3_lrBJL&?rylGD! zKJJynje*qITMfXO5*sn4d zFP7J@yWhyeH-|d+Ya5UKRfI_Kg&D+yK}UR!_P!rKOc$U9=Iv&CE8SZJMBpumha=f@ zk<-e>Un<<^4kkS?Be;mmkCACZ=K7HB7L#_@i1Qy?^!a0x)U!sz^0Uo_$N8yr|J<1p zr)T{`qP1n3V&{k3tDZmVkL!iL6VE5T7>`V(HdrUL7VzQ_P4whpcWq{W8h-$)O6L>M zj2$|HmVI!eAN3F9CkOZRQGZYQ$$#xP?9s#D_y0I_Hik-Oum||3(ULwNsiV(FuldF3 zlV6NK*`2^ac;D2sS7P`SlL>K(%&B)|n&~#mvnkexqK}09>6Xa#1b>N$yAGc5vNBpz zg>>P6W^|8gOATMO1%PXe?X<>G1n!Q~sFOQsC-7`gDqjSprjv&t2UY3j>MH0Xa|I=z zoYzo1^xEOqVDy?T3J}N}Cza(=*!^Tmynmtw?_6z2x$uu&7&0ps8#vx52iqViS#HqY zMvMwnpfL#`4UNtMCmU)8sBwOjm=RAo2nFd$9JTt|a3-$^?IijO)X~dp4#~qrXx#0$ z*a$V8SjTSQv(@9lks}25`XS)4woinp_}S*>N{t{^nlk$>BZ=iP!2(>IAkAg#&>naY z@(8>vzAGkFXVBgl&8;cV_&E_M(_t~NDtE79JA>Cm;l6s&OoXRck~j9Igf-yz_#2va zvVD_&Yq)fOV?(6bev}<5V%o0TB6&(+ioUtP5JsE}LPDe#VPZr^&K04{Mb}j&zOn^x zRva-Qn4Ac|Qhk=GVANzr`of|7-NEWR!W;A^^&A#UbXV*#9rpe}7GpuuRBayngbUEAy8 zc9WrLdwz|f2%+k5+wDF4VB-KiD?|~X8c0B6=-Az(q`6mqkF8I!Pv_dvLB> zvFns(meiSC)%whd@qv9>ZQLrc*GHH${hmWFNJiG{E0n%<2(qeRAB*V}_XTwSg^C=w z0y4KaiJiVcU?A}Pf?aMIm1x)GLP6>8MtZp{yYF4kJ#8ytBcFwKV8-`k(SJOF}oXZ8rn z-`hfZi0GH&aSpX01`~y`d*(-vKP%q}l2|%~Yw7p+e1n0R^sAuXy;uroi*O&)gkDs^ z;EyXsw0u*}yu|LhdTIsaKpeIV@xXKL9JN^q9y-}Zmmc0jT+8A`m`9nMQ@hYwciYmbtP=ANw&~KiIL00M@97$N5Q2L-rj9LG3OZI`#q6 zGKvh!gAYxeH={-cI1-IVAqqwJ4PADi?=(^4S9z85EL;0K3{gmaef{!W7eB)ly`sZb zpw8~=Qw8;unYyXA&p34kpa{!2>kQd^ENQ5O!==@`7J5yt+ylPj`tStA@E_fEczOAu zvYYqd!23@4%1B%TqFfQ*L+>bNEQ~`ZgmCbvt5o`7BQUK2N{%vphwbRVTVOx$pfbd_ zumNzPE%Jbfa(psD>YfKJaVy;L?gjp#>QeR!;$IF5_py%0>Rg2i(~Ss!PTxK(EW=IU z4>|55e>ibfXSy2&?%CH9ugUkgi2^yIt;-TX34FvZ?z`7JjL#`qc5b<)^3`3O!P7u< z9#H7Ldwf`aoW7IUFH2FmIcxS2Y6tQjOMi!W9nIblR9O{9@(XfE40*3h2h}tVf#24nm6y=r&FioCrRx5SIRihgEg3Th_CCyc`2~GKR=nWwv>P{RLEKNr^ ziOL%A$`Rl{J4;zxK7yJ2&4=wUnT*#mdnw!(FO2eVmA!hA)WCk>Gjn-uo~C z*Fgmj)=;0(U@F^MJmlRz-k#JOR7;|$Fb-#?Sw`t7m-?dUa{A4aW7sc9qHDAs{w6OF zsWCotEr)?mbOF#KKQMz>$AYJ63``F-WA?t{ooK&3|^ym3iC?FiNsqjg{v!+-v#Qp5tsQsFH$uNBo`Q!XrnFu{? zeEYzfNm-O_pa4eB7k|H8&g}|Kb>mYRf&&(>SX5p2CJC2*dG1~o2Tz(hWtR?Ina7Px z@)v){cBW?S2jQ-fnL%G*?zPk5g`IMFXsbFP?_0ryLc?3afK=Pcuik#ei=*IjpM^n% z2}{Gj3!d}|%t;R^eSveF(_dWiMD(g_JUPAU%F!KPTw|~ukC-`KRW@h_=Z^A4b6e+R zPmak{@lT5pS+-?t5Z|!SBz>u~#>=wouTBVQ1DI%J{JS^xD_$tvImw(E*yGg18e-aA zH!;E6Q@ht;Dg~p}84Iwav)**yM)X-93wwZmXmAXOgZJg??aeBhYV|&mxSU;!vrSA6 z5}6NWr$V#hpd18R{>9QCQvoPE@c3M?C?;!!?QS|(PKeR~{~2awBgqc$<_nJBb|Tk_ z6~h--A1&mM2SR=)HK1}!^nTR=G)0mHFBCg+_^iR;-I;~rWq_dVs01|ypx%Dxp70Vl zAro>5&I3pXX-07-?^fJwHkVL59-MB@!G4E7-C);i+T4mJ;3Gq36;)WPOW}rHTx=t` zf=@F&ux{GLDo+YiB>1z(7aK#IE0m#>QOUlvFEJ`CdZH=vRSV64}Z1R8&Ir7{GgmMGnoL}O7^ zwg{1+=BPR)X(`d>F={6oEwu>Zx56s&Z;#QFcHsWro7-!%?ImvjzFGUs~T{4MeEfYCpX36@XTYfYQZ$;#UOdb18aYCf5CUQ^fiHKNYJ!v zrioNjsv?&HTdxE3RazyB%(}JN1gDl_*o(~qdH}kqw{GYxhF2uyM*EVzq>B~}DF}4c zm;qsx)@9)7-ph}0xVF=L0r!VV04Uj`-}m=Bp~v_Udqs@(P=!3#`?L1%7qw?kyUj2j zaLQfIz&!=Ejt5e5vxeK`53fbe6%4HOu@QVpFuMwSJsXWNU&JgYwBEA?Q~z_i{1sW= zS3ohqwxOpO2MN+3sWO~h%ofOqmQT#%<+qU zlaSdXE#cm9jrYuxm)2IPv-tQ4%@~?Sz0jxIOF{cdyHP+4{-_zllQyc|pmuLCw&5?x z!Do0-y*7d7QLIHpKCgP*{cY6d+|BPK06hZ%sq-R-0ckm)4qf4>iHHQEaa;2-(4P25 zq)~LvaIm~x)1$JsUYUB;Z|!O`Y(g^#HWxhD+Ar8O5~*=TRH+OLDVIrT&c z^TCyy8AdFYR4H>wp+v7yx~Go~)8$xD+AnexW&2Y0z<0lnNHW z85>T{vDIQOfQ}6O1rvqQMeWqE0h)-LWga))7HR37OX}Q-((c)yYT`ud%*SdBO#L$> zfTLRddb|QjwKJJSP)9!jFNgnYO)p*q*X2S(Twbma)9nlmCx=Ic*A`uOZ@vI7oMMJZ z^kjiC&ZSSc9836)F6ka-&KQ?NPd$y~8i|vYv{4TUJ50&V$)6<2K7&Z&Y~{VWh@ney z^=d=bu6q(wgUS9ByF}!$c)b|0Y%m|L0J(k;lnQ_5u;(`~FW!H)c)msI5(S-S05+f& z&b$xUqqYuP@qaDfQ*Bx!r%V1!k>XctbVX1*ehI2o%X^{;mrP*%aI-ssAt%s@(Y}XJ z1%bZr>fWqy8)0sfT{Eu(;k;LLsg5n&mi%?EJw|T$+usttaho%te=9`>u~h6? zUkX;y-ZdJX8pIwR!h)NGb-OuZCjlB>kS2M#KEW+ARf!*i11kb~QFM%8I23zk4{%+` zr_@i!dREjII|HKWT0w7oNy&E7l0~9sQ@Wq`8b0g*e)Sb%5uW7s650W+8|Z4|By#V6 zs@J6MR>pL}2na$B_nN6In_11v?|e3xMn*Bd1qi2i02vwHjSVKV^MyvXh|r7jDRY$n=P6EEumAIcetnPaK z1siL2r+X14RMY!%w6>sAo?XOj2o#GTZYS1`Po=NoNsuz|A10N7@fqRzHnB@IbY>KG z)jYV@UA$I$BHQS*iKr8_0@Rd|`@pYx4wXIhQPB1~$<*7cHNnda@Y3gAu5ew|{^p(F zeAjMOoy%KEN!s9=jKw%<@^Y)&Bq>DY;7gaGiSolm0ift63FP8dhgD4G@+Md)NbG(I zw<5g3%|`Ow-OA_Drcqxk)iR!b`pF|;a#6;`ypJGW{tB?6)hXtL=b{IM=p9B;qZy2s zCO%GBfd3cxwowg$Yl0n$!Y(rK&>s8_9D4pHs*R5yF352Jqy)b3=kwJ~{~*{Bq+hHB zMYYQEd7tEs$8vT&=7}gYTFNY*A7jc9Dc0i0%~pQ;$&-hu#c2}iMw}S$7vGnDf%YY# zFxjb#z&)vX>J@~VC!6IBR;Q|1r z`VRKL+t(|(narCB4}fPg$%9TlB!Si&cnVjqFl3wmBKre^Yhz0mu#1P5@S|j2a=;f% zEb5G2z`VBS;}H%O;S#^VQ4Hu2Kp%pf&iCjcdd^bj_8QJDL_y^c@Li}W6N2+#@gJaz z<#fJ$Q(6&*)1yz2Q%wD?1nh3uwvKlo85L^gSjdB^s0kMVL1GGpEnb{+%@fq_`yVYt zAuLvB!1<>uBsAUYA`|a1Vtu(<81c6h4Q2f&eC(wno4{uX-CRaSPyTGBSf8pXG$m9s zWSuPo#2Mq#gXeF(IYp5TN=gOiQ|L&4f`hl==+z89o7YKP7-eH@h5m)6b+98U*SQ?H zMCcMiENoPg4~3?s?mKccf-dq0GVtnmaF|E5O~6}y1>`Y)LZ#W#B%g3@ks^%jE)$ZL zl~^3TJYPd8Zy*ru3bK6MAH5q={_JsuSHZ_4p*s`#!`wmh4Ha4DVSyrrSPQCw3O*!N zX7cv>R;4?LEnN7DW}CENwSk09gDSbjbT9DQVXP;4iWz&${&EpqAVgNR-%}OFiZF-? zcd=)oj9Z+UofKa8&5xBI)AWwtk-^&G(9Bz|-OONS!gjsY)5TFS#s?&NYIx^fQ}j0g z`Gl5h)A?|R5Z>2cdwAb08~S-@!WRyob>`LjrS~y2-H*#nr z{HGSzjChV9iH4+x_UT|p+oq$C|Bd5<=+CS4C!=eos_~z@K66#398x$(l>)4vb6Lo$ zw66A8ADMewDH`b0yka5_*j%J|85xiL@1fVN>~BQMeK{iou=vi9O1&pYd)1J%hbiLL zk*Q7^-pC53ESHnBD9HjeSr}uZ;DH<4Vm_CkG>W{Cqaz$LRm$8&SSHn8Zs$j}LPM>j zny>FPe$yw*Rj6nMYK+RG-3Hj0UJk5(2Ply7?!a4J8m?(={tnz4t6?;bVXYB3OcA$` zy%nk3vuP=xgr(D>x!nbzTaEa$27a|ujN=ZFbAyOlDKw=LI6D{FJY=&`Ke^tLiKk(| zzFv!773k|X*CR@yk%<>%uaH;a1nK;8q79XTVXgoYUvq93JfvE10CzPE13-b5HncQ~ zmRz3u8P1+E!HrN{oR(@@bq`T1M^Zvq3PTj*(`p2L%-lE!$%P07>4!5JvExci)gXN# zxb_DzB5g4$jk#1+v5>sEPK;a04I3U!6+Vj~P`Kch?_RE57S4xK-8u6e3?E{BH=}OI zAk^t;o^o4f0GYGo2g?&T&f=vC#fr0T41#eKDZ8(ioX`}s2zbrBw@m8a9+ z2HhPvJW2nCT?{;nJhJpluDb1~cI)j@ugy9;wTYx&C+f*P#W9Sf^n%2{e#T^x7b-sQ z%f7YZpN^qw{aHuiAY0(DTZG~zO#;<_OqU;rc7}8D@k)_IVGk{vC_HC$|3GVUTk^Qv z59k(0>cg*?q$P}3xj+NvjZU6xwzP9mTDvNMS#Wl3FB1t{XEfCjmN^7Owjc_od7=eJ z_(pOT<`QQb64YTWlT_`u=0Q12fm`@Z)gwtyQ`22go4j$bGcVKhODtz6$W7ELP?vx2MTzEFf=*QJXm_ zdJA+KBgyMjZR)+WzN|Y4jN(QEB?CAt(*vZty?v0>C%00YE_MM)_TeM4Ut^anH-H^> z;@>1lm0|l*yBp9ppWnaVna)4rAcYtQ)Wg8GQ%AnDm4$>luWN5bH6to?=NGmFp25bLwW;N%dY~#$_{E*rFqlfqL z?>a*IgWAHtaezWH6u_Be+s9PmzfRA8WnFW-dACAyi>UUFLEi!Fs2~tqFr*(F-7~@v zX=3(AlmT6c*`%dN6IHmL`z?|4YepG0m3LB#H5qAnMm(*ZJDv8>QbTR82@h z=%_+ai^@h;)#^|Vo;4QB+~>awFTl`VT_2hFdW)J@+P4vV;7@M z^dBaL7S`=rAkjz5E0+AhXwSigMqITfZGv+6Y$YO@hmsRa1&4F;rn^jYFLz=cS|(PK zaBr}#wf6$n#$*DG1c*p82-@R>MWl~wi|7bM-U1HzN$Y6-M8Ar+c^7xJ=(r<%5yRr%%Bj-p%^Dk1(+#qb4s1+s$cBh_f}u(wAWw#e`eI9)Rx=XQ<=`92dLz~c9}2qyIV5sEx%qTTqFfg9&q^_r|&B=zgg z<&X2W&k48cIaR5)Lvxd+fes$K)!1Z)Cwff&*VNuCtYQYjBImE>o1)zlkTu}C%a|@e zT8SmI87@f2&VMQqR#2q!D`MBLeL*JL%7=kntHUtxp`4_!cIeE}K3H1yS_u*v_7& zq0h7oB(WmUr4LJ(gk4?`;VGwq^>pW(4$~$VU%i5q3SMG>CwqF47wl~&B1fF%`i%i( zE`AgxT=v@ViZHu=hCI;KAf)ra-1-v3Nmcs=JGs=sb+abdi&~2<-S-aAS2qXO>kBnc z-2qe1x2l)H;6%5EB5m2Q#yOsKw>ZWnWy{Rl2U7ACyaiZFq+!;a#(sSRMCHQ&gWIFA zp7iJZ-%1rIa**^h)IWfdeBjg}D|DL$^8~s&(nC%ulQ7h!0SCSmo40^$l`Bwhq}dgv zh*6+Y6S|sjvXeB|aanSMSQq_r#rn`W5DYl>gz%>4z`LMtOkWO)H9@QUhq8s^z6%CqIP5Ui$W#HW>n#e!00SHv+U-MV$r{=mA?RX~(xqd|n{pgU& zoC#(|?RL)xQ-dJtC3wjI?L|aI7u!b}+%j<5sWWdA_fkDJ*{zpqU5p%2H8Yc7Da&4> zq&_HA>K6Y^#Jrv&(D00BzB501NGVu0VCOb7X%s~pjz$@>k3M5zd7s^0*wK8{T!ar2 zY4ywjeN4iD`X=F`DdWg77)k9I%EVyo%$`iu&8MGy`iXC39w7Tup=Z_ZqTBU^VO$gF5Wa^`e zv)k*pf=vkM#-rOrUz>GfYo~{=s-d{VI*DV!G*=hhgi|>P*07pxYhYZpA3xJ&#%xNU z^p(GGfOlNPY5W`QH^m+FchzV;jS;FVrT{*}*G?=Uk%A&9@R1c--*A zz+7QOJzI!&<)^6Pt5$Jb#B%X+3mQdp*C5xIXZVrqZN*AO5u$q$SXBDY)oN&z79O!= zW!+r+i94WfrAZ{m@EVzLHnBQtq>|V9Y2l9u$&OciQ4mZfA~$sCbfzZW5HdR-t(Z7p zp0Tq_BWWPkPT{_cpuwBz&**1d~~vO>8)&#+(k$3=1La;K<0_thZnw zrWcJ;fy*16+w!yZqNOIkg0r6)T2qg(NmMkj1tVt0JMcbw%WCozP$+ej(Adt_gz~L3 zeAF0)1THZqOxS$iE5SS%KOhH=>COp+A$ahMCcfx9O?;&F0&9>T3EKo$q-=oIgfRgS zW9L;LaVY{vntceQy_V2i%hwmTy-f8qtFdwV)M3WZ@*5y=sVNTJ)zkG_gYI{yIN+_+ z^u(NtTH3C2%Hj799^WE$VL{_CcTs+(&t3GM=(E(?@V)Kb^K65jdDi6_1oA7)30LOW zQWZa$Qu)b(7V3)sPSJ@0>d@rsZ&YR>4ZA}2$+!kp(I|!BFNW!tLu#vvNsz8|I8Z4- z2X1K4)XzpJwTzUupo$hLDo!|R8_Q(#HHq~p9kWISl{?LOnOk-yRT$B@2<`8SNcwXK z0U|Pm>IUWXHMmQ#(X`r&2iIUY;(` zeHv=<%A}9VaO>`c41qz4BEz@CE*C5}$~EK&Vnd-CZ+=uxb3Q27MQP^E4x+hz1>A2n z=mfiKO#pHsp8k)oSvH0@W@ub7{Z$~E*UghoArZ`pGvzAYu;sKL7L4!|$1BTyEYkP>}bWBe$oJ>afI{|MaB(>G=xNJIRVy z|31mxEq;A-@f57!$E$z8$4d@Iwbi{pAbCxF)8>v?P(q|MEoil~Z{Ju|YoDDrEnVTk z!5oa!%lHMv>7L{uC$-#OF5%Yo>8L%KBq$MN3%4F1h#yT^W&9TVsUa3@ z)stE?M(0Qc&&!Z3 zLHQY2`8;`q@J)ORI@j(`4G;=ZmTyh!W{Loy0HZwm-RCk@B7L#qIFo}VBrJG^HD!C! zEHt3V=!eWasTlt!|MuW}OLse_{sX1<3$>PSAtAbKkFB2BCZSj>Dcc!twOoP8zcyHCIbg zAB!G3`)$d?Jumxy2sh6JJ(DY!O7=5P98{?Yy)VVA3cpezhXVjD7gqXrYSUxsh&)Ew ziDX}+n!V>fnIbF>6TQD$?(|k;wm}$ih9-tAVeaaqve8z^;|(fa`07M=xRPosseDvq zY6mG$Ya4A@ZC5Jw$^Z(6p>aoW|D(fN@T_VV6!*ZA4AkBI-E;jGLf*a5_dZlzmbFlu zmZl2z9=5ukPi(dg8O{SXE{Hm?5ls@=HzxRE0^(JfJS@Q~G8`63!QGS7QQZq!2vuDe zG_TSbg5U&Ej%n=*l7WL{(605REv7A@kCa`1dyxwx*V4P?@q2OW;D44Ei1SX!l&1@f zj_|S+Wcieekhhl0IsXP8vFK2^FLOt3Q} zO3julU2BJzul9que=o5lBlzMVE9$A+Jwo!V3T{C6X!=Ox`Vh2a?3!gfB11 zmg%G=lB;ZIi7}hO)D5qmKu<2Vd&rmge0%GQ!p=yv2v9q@%{r;JDt4Vpb=VYB@)DQs zxsC{%(N&X0Ru4HdKq%+Jdl8ca8dgXo4$pxYF_@$^veCCN6u4#WG2(IW&73sM!AWF} zr{sN8cK|fE_YEv>rZ;!``c(TY%A~K?cMN3g=)UrGLoG(8Y3SIXsEgtxT;awKF59PV ziG6d-Uv4^_-#x0_)=gW@*T0zZJo#X_}6jphJPR_W2>-oja=?X&8f+lY=^7(j4moN9trL2&kwUnfBEa z(_YZKQ&AB48YwKuk^u?z->4^11eYgjoP4|P_U)j)iUDs6Eq0glsQAXrrrUWOE$l)k$7DP3BHNP{3ql~#7mtTy6FNqx&r zb*F3J~z(J$f~q)Ww<;%C}0*gWR#H=3$%`q=eY}#-sy;kS!NGUs@Ck&M7I;gV#TO zH$S*`;1GAF*+bl(16GCn8VPcICY4PrPbICE^6OAdcZgV3B&`IyTsWq3o0Mfs30}8h`)W z|8Yfugqme;Hm}u>gkeZ&%$ia+@Q#u7ei`Q(Nkb$G?PnYtysUHDVju~B4EM767@Z5y zA6;{nVftM6Ud3pRb6m3dn>7(veqc`I`ex~GQeR`rg+|B--e!A#%~HLB@A-##54bZ+ zxNdQ>$ByhbNlJ~3TJrZv_a${)FJW&@n3RKHqnLy(-#uaGMShLc^MlXrI+@hNs7Xs&mdh-w& z&mBL&p5S+V>_ru#@Nwoh5kluIXp58eF*w&CKZ&_G8O-?eHO2ubA@>r|%FMLTo{#l5 z*Tm3o#p7>^0SL{W=V1l6YU>dMoXJ%LyPgkC_s#ELnK?t%%pq45qG7&|M%E4Whi4+q z=;{f96q@nH9-@)%9B6>A~Z>&k^LBmAmK2E0L7a-l)nVbC;4p>r5SN%1DUTfU~^&-ve`U&qy=@WhUputiE5e~7v9IlK%RoBkH?2#j$< zxC7bY1WK^C>E6Hy2kF!>T2*-|i)A^FQ8+9^ZhP$VEd`DuA0q|JEm%j^SkSv;jft?> z58~#Wp*4jqAgdXO*L>*T2mZLmzOLa*HlV3)b-w@!`LaY-vTN;_cd;7t#Mz|4 z@{JN6#9mUghpXWL@pG4s-xZ;MIKhV@7$Hz1CAnozTNAV{Erwe%LzKsl9UyQB!US;8 zIDjbnYx-OI%Vw>WnN?Z4YM%>5neLd5zPLeP@7h&ad0n|uQ+6psj01f#M=UaO^oA)7 zk|-vp5rq$TcXc=!rEnf|&2^~{rdlTO%ITU5L=^Ww z%GZo`9pmqpJd42GHcy`n=L|#XMBGx4$agk+aE${uq7Ay@w2QM}7Qb5@x-8t{pjKs{stjxKobd@qTbrOY?C?~?E6v~_z^)1mDoL^+(D8NdoY_byQTI@`; zA49$&;TV)3yZ|@F3qTQ?x!QozG2A}ks9iXPWgx2sJ>C@8K(slqmj8;TVr$U!UsVAg zP#r^(LjRYFr%@#YIm&32!G&+N4z$H%*ph{j%qjN^hI{JTy8&1L!rG-&Nm3=#JULpg ztK@gR)q!G~;Dr|39cUeHF*@6s)9kM7*X$7 zF<`^TR>#t&m(OT+yAja(JvPD(9pXNQe#+%%qxCSf$+OqIMtkf5vIzQ%=G^`2iDL`` zs~$M^g%J?Ts@WMyjxYLzP|JzUOX_9xDi6*d(_d+SrxF`iC1@xm;*#MR`{=*oI_fTl z)WQc89ev{Bc_$arB=9zWSeoEcX0)+l!mvi%2m^q(hXceqsqfWbSwIJ4(RA26s`N3k z-CcH-V~wrW%m_8*Nd$|eeXgPJN1>cRSVdAC9vj@R>lIW1bP#~Ug-EIy9VuIsA1%z# zb5ie+Ge-(=8?m-hMi}45Z*=g*?+kp=iNIItBc&_Yv{#3MM9x$F&8Gx7UK-<+>rOkD zNagoP0pAC;(_r`NeoQvuZ?`9>dT=nuqC2Bcob zjy&q{b%1!=RKqYf%Kd~{*@izzuuMJ@@kUWfzS#NzSqE)9K6Za@p7t25(lY<4r61I%Vk90_}>MYuM@ zUh;{bQdy#=&dN}pB8MVjBBq7}4_-2Dz8O(DIycldN)c<@q1#7Kzx2)h#MWF6M?MN5 zGo(G>8!J(EnnduRYfGTz*yFlucS;Sey5d_d7xJ%?gl67P=>#W=Y>9e4W-{66@XI$G z0-cCX95#fs>l|S%CU|mw;p^A0?+5A6>FWNg>+XZMMImA?)Rr4hr-cGXY(nMmQ4n8l zqBP98vvyBd%*THpBa9)zx%o4PH>*SWG;rgrkysu&BOyoy{&&Rl?nxSLVGI0b9#1{8 zW`*^FV<=RDnoy>bG4`?}Ko6?$%{lg+;|_TWzS3qNqENDBD>C2bWH$)A2FSuGk$qPv z9xPy8#lG~JY*A#BClYOm1(eS0kVToS zLv$!eTCmX<=;cc+1(tvzu7fd;kf>Av(5dMd*vdKg{==C)o%%>Lx_OGHU4XRH%j;`) z=Wv*DqnOVwuaKEg9mx9Be8<&P#z0E#4EU2i{R({oR|`cf)y>M*r`w44yR+QBRIly5 zW1A<>wk`TA+qP}nwyV0(Wp~-OZFSkUZQIq=W!u)Rz0SFJ|JT0j8=Mm_BJ)Me5%YOs z{THW8g^RI}`Ym}9a^;;PPP(0C@*LU~b0Ari(kI zwhi+wJRySw;6hL*>qo?MR_bZCi8zH7%LL9-Rti>Q@KqXEe!P~-(*-(in(hArs)RvJj%{b(~fSISwTB^$nBUOZG$pb>9x0oP?T@c^8@cQs=JPmu~Ld#0imc1 z7;Wy%VUoXDGt49k`L@KMn2Sok(=>@=v6;mHz+2alF4uOP=5=AYlj2HzYOUi`<_>Q^ z*lp&IL|-;wV>^04T~xbs&#kfR8xV)az84{jRvZm&=ky~_wxUq|k0s0)&e$0}dDa!F z1Fg;)pH=w{=b(dsCLkF}Y&c=D8r8WoEM~cZiXTu_GT=OSj{YDa0~=Km@>q}9P!${# z6zFxA!G9}gI@x4KeAZ?zoqGNFM=hOI!DeMwkPKR>SKoIzvg1Me(YEcE>!wHSIF5UK zRZpI~*^@D0WVEH@{q|dA4Ya|uyt0sEUuR=mI4+81H0(WrYG7{t)#jqHQ@he$ym&if zjO(A#M!dKrxSZLnd!PoE-!6BX1w$YXcUJE@p&7~h50&SqoH`Y-p!=V@J0C+Fejvy* z`Hhj{6$ywS210cT<*1B|8*doFy*2GQ1+Jjc+~s8ScblC zdzbp>jSq!mA$M>M{L6(@$!Ira5QalvfuS$0FFgF`7lKP(H@BlbhA%WbpJDEjnJ>Ge zbz6Zs-6UaR*; z`GyK}{ocXG8J9H%cJ(&#F1-lwiR*^RlF}tpWrzDDMT(`8ua(oqD^8$Wh3{ti~GvEQQ=|IABN9Q=|I(T!RhFzYA_6$yH)nYMwi z8aRF}?0SC_l)mJz2s;|_0~KHwiAiz<)l$gHHpuAc_HFSJZwutmyM!jLyJedx_DHrK zH{Y9lR;DszU4-|hkY}4MgUf81-giRRW=juGlr2>swdp&d373=>)uEKRwk$Xr znsk^BVsW|%&Bw+{dMZg4RjOis*>1dy5gWGpvko7xgV7ZZ*JU^qe=p}~$=fXt*<4^x zF`8jpfKo3r6r~PFQNb;fkYmpG5%GY~6=dwwMItg5m|F5~y3SeYe6B|Mmr)x>*gR%W-J)?lHFmcm7ja=kOQeHoT zIoWOX3!gD)H~S0J2^LyLj2sFrh{oPhEZjotMa@hROD$8b4?WzE-d+m7%_d4gT}zm zj23CPjOP4T93Ttm3xuc{%AlO2nchN%kz7i#fa{Uv`=3~IkE@obF@SubZZgGJ#@#2ETSxixOY8jRP0z(eV9^G=n@E~rD zWfhuV9hoRTEo}y8>itG%4b6g?`q*p80F%qx7P!Hnh6wjoc+voDji43LMcBkjAMM0q z251fIYh_52mK1YXHFiVaqLcgUsIzl1M+qB2wa__VS`0MF*eKgDs^&kv|IL6-(RQL0F#_x*!LOr?8cp~nW4ff zVx4Wa@|HSkM~c`a?yG9MYk@Ja+h1b9fDpv%o^Z{1IMwPbRs=-&lbHr?lynW^66 zxmiKl5pE<&CU=AV8GbT9K7H;@5FweFRKRRWK-01(H1xGf)6Bedcl=zJo!$vm)INW3 z1hl^GSXFh3s>) zB0h)V`*{@B`+0GEHH!ErZIAr<&pzaK@#-YJ2u}xjnmf7P)5?LPVgtj-omlAE--T$* z!Anr2Bqe_@iJP{IKgO~8=T2WCFp=C}Zt&&cad#JocxZ?fik=fP51xGB ze#ciVi4_aTzSHYDXdB=G7Q#~RS~IqG#sk~Lj?5#?9|fCPe+#!HF+*~A_xPRj#x~co zKdmvFfR`kTUYgdivTfTp5_u|wWxL-oul*^WZM$0XSAD-$^yUPBcCw3rKdfhJDnR$? zBC@={eg|bV;iN^--WhAlVPn1p)B*YNfl`hC9ttcTqwu|$N_7|y>C%-vHdqI849iRH zY! zSH+d&lvJst^CjUSz0WjGlVCQ}zTH4O>>PKNYlI?A_-=>l$Vg8f8Tjw7Gka3BnD+_S zx2Dx}$*>sx6WWckK`4p7;(i>Bu2mK4JZ^zXsN*!~l>OWsX%J>bLeuv>IvIV6UeK{c zPE*HTu6a*;L}xGA31GfxXNiD>z7Ep4JvnBIOE*q{F3edXfCnkq1GV^cz{B0MzTL~Q zPWZ`YfM7shtjF9M4y#R%<*O`oM*okr>Gtq6e{(``WREN94?wsfu}LB*N=5WjmvtBX(5I>S^Uo28go z?!En6f913cw>-t62uhO({*$9vVV_J^xQSB;70!eUS zNDV|vbo|uC;~e=Wb&B&94k^C}M|TOMNH_We5y;X!lQmvtT?F^t7R-Z;-PQs}B3PWu z{kTKZos|;8l$L@SoSgQ0j`6eSin^}zUqXNIxJ0Itd%?tB>83(ly^WNG`xvrd!z`>b zF{A|^XEZj#0_X1xMoxsvA2MajKx5|M6utH`_WWaF`qYadFV1=#Y*I!!D7I`$c+Nu; zeOHu~r^Tkh3;y_VL#=zn{=_%vU10Imj~r}+#ed+Sw!3u zN)&Ek>cRt7Qjb#Pm+m?1mdqtsS&lIwU1Oite1J(8sIY%jCI)eoUO z?0AN3m(~?GGI_Kc9+FQLS$v;h*$FNy?cCE``h}2WeRM96Wj@`}NN!7!isPMfAJwvdf&2FFz(ID zlAyr-4o;vKR~9-YTd;bcbJ444tnofJYiv(v&npP-rq( zXpYsW+%Zy$NCIlWkfWyC{i}t4!Hr}M2xj*53G&?s8W0ko!7f7Y1W2rmFl?BM>alo2 zA^mR6i6s}^{aN%V$_lk34k7m%#-%|5j)LYNEIsT885hTxEfF8{GAPhh@(N*e!;l!6s;5*Qt%bDqQotTE< z!5skePXX=JWQ^rq5~|r@kT_>hwYMoxLZ>R^r2HEFoyA#to*Jc9^{C}~fGZ3uIyY%g zHV7=mkjL*f)Fj~bJhXW2g#zOkeQ$oVfsB{5jPk-Ko~R<4Eb%!3$GmWmhDaa_^6A~vHDxg z7`uo5TM|U^42whAp$O%c!s@Q{rcd=vx`*FQw(Smi;1y&CvxnLn7x$`@X=LF0%ITpN zg%1+1x4R?n^d$M(2A4-^Tv&M%>em1j*iai7?4hkP-irS@PC-bPv$yXA3A|fEv?+I% z1dNHgG@7560lxrtui$(zfY7Ic2(y>>(lkGtWHxU|j}u8D7#6Djab zh6su=uPy{%i|I{iRA?@lmJeZwcycWx@6}&v+UPfG;$J<+7hwZ780k54-UM>;tNy*$ zPHZLa1eTWvuCNsPVEV#fk_#g!I@7e8#>R#RnuoME@N{O($QK{~qOwi$Y%6vui3C4b zIxapnS~@OE(O#g#BiV4Jj2e>HpfS0=BS_VTfp$IRC;NG-!_xjJN8!Pwql&QzF?BNp zJtB(T!=GTm98yVte*URvvp{(w$cT7ABd^+ID zhb^RnOgFD~l0N+={sSM=vM79Eval(~+y?MW3)$p5bXBCAO|v`T**fMsU`M$gr~VlB zDiM{%TVN6fgG*paxo`4{x?7Lu#9QOox0sZmQ9e3}4?t5DE-H+M5eb`SlsD zwDe#R1m8Hcy_@$Dc$kOBZ%H!bOefq79~T&I@G0u#YxX(PP6k>Lq- zWcQZ+Tt~FYG;PqUp#`Bm+?9HDt!S-5HI<0Uroi1tw>1Kn=0 zUF8(`lvnhjCZ#sQayP}2Rp3gxANZS>B4kaQuEh{t087MbOGZAc014g+j8n+_{JbHg&<^{aJ^dfU4_f4}N*~U@3+@OIh(;srP{z^X}r1&UoEj zv#CXVY08{ zr_t^MF@cr0y|~3{kRI4oW|?u)g|=GxA8OLx1EW+c zESV-9f$f(r%)V3STN2rDujpa7E${p`^cT$4MW-h?O1GZMtbhpJw?{FZJq z9#HM)w{fDe*BOn>(M5E`_3K!Xfze5{(3JH_2%1qsZhLIk zCXD-Ktv)6hH2ze|e3z+OAy7qTvz`%$5(q$HxpbhI3375y17Lw>B4bub^p761Ed486ZtUNAVH>f5f1WqP#%w8juv`bX{3S%o9#4bgvh&=&q=w&5OC9^ z*E_gW(lnrRkyAQp>4#ELIUGJ$Yf7-`wBap(bUO`ypJt*~m>2?~LDh1vi_K8lQdPp= zn8Nh28yGD{EFJxs$_00Qy}*f~p#hPYG})gOS#Poi$*z_CBlHB8n#4yp&~Db1G%Pxr zqx$K=NxiJ4 z`2y!UZl|r?Hnx04pU^*%%j{-S$nSKKt!V7eWO?NT`q*hg+*neduCsQyrS~w~OQ|R9 z8SJ|#$Es|vWPh0Z%sv-uH}DjNQ07NBR`L=SP`C7or%q#=y}ZNyJQ*aeI}T`vdjoKi z0uw~#6Q06RGX3P-?jj@o5J+n`b*j!ZDN4c15kVEGDpCZSGfS1sUw_i)W0XFq2w-jX zI|6_A$2epb362h3yR1&}0B+nhN<0YATKeMwq1CRHk+sw)j0Hvdjy;z}juvgGZv;D+ z_PUGSaL9sKkCZ;0#vl1T|C|chJTAc{Y}9eZ1H>wc(p@WF(MI58kV5F##h zKN*8xq$)7N67h2ywE7yEMz3I0Hlh(PImr_E`;>GcpU4SaCG`)|T?AFigt<@RVyoSZ z6oOq(YVDcF_w~|aKpOF(26}33R+H*(#|y@sci(7C?bVJ6Z`hmXse>*}Sv>i*k`~~y zSq}J3O>u%u?`zEpEl^>}E3V17kc63xn;X?j%+&j%ONY4bKD&K#t}UPDB;%wm&oZ{+ zKau;6x=}gDI{eAH|7_-O4KxEvfQI>1g*9o+BCc!6u41kCu#@C8ZvT>`IkvU3)DC4^ z;JIsXk~y0ic*>jqC7d(la+qB zi$t%H3y|Ujp;K>9i}OAQb1Mq8d7fC*ZXiNdLcrp)L~^lEQ1*9-Bz8Uwf%=zO##JYX zu5DHe%s2zT zWG$q9qPKEAF|4*fkoI+=@WGThx^MD%r7zl|)DHoe#s&(x1hp$fClsZ+ngUHiJ(iB- z?>Ja(Mvua~0v!TaFs@Z|G|lIThe)HK#)$nNb~Wb(?Wn`iSAp*vL7rYKp9;+3;DgZX zD(cZnQ{Bf9b;qnqZzbH;E?v(gtCg`r=FT8#kkCAd6O3Jgq&GYi1cFpH{%oF?xY` z$Z!$6tCUhi*M;fG^bq@~rIzC$S>tDZc&bYLP@t_!r{9i6_a*0NguUV1{k0K~oIkzK zSn89Y%2KnupGkiL&d{(h z?%ll@^An!HNS0PH0_V_p$O2S{#Oaa-_@vfhV2ty|GeS&d6}QO@{iNtvwZNqn-c$nT z@4V3wm$jMH2%pGFDVe*4MGa!RXs;})w&rTVW#9Iaa>sqZTR@j_lnw4pNs|8(oRM5$ zj8}neV@h$)#2>aFjS0-xwZ(~`E>(RyJw7DD2RpejWUGtI-&)`830sHxMh!=7e=9tX zpZFO`H)Ey&$>V%bgM45*ti#x&%|J@6_XJiQ7CdCc4mOYjZeQTvVoSR(g;wE*Q=x2y zDJn5yDVtrjt_exo8_M_?!Fa`J+tdo;#iQ2KIhh5g3D-(m!uM@fS;z}dH(Z*civ+t$ z5*3KfH=?H*{gja?A=H4+NLjdVQn;*iajm+F7ruovGygbqcPUj>@hub~&4j$ap8!t;tAn;+h`tnN9! z;AN9!DvO(2dDmmp#}W2n2A|E{3uW%hHZ%GsXU>*O|{<-5+ww+ z4?lTfvw&@Yp7aJve%@P#P_uXS>uSy)^P^ryji|++ur{oH7!s4Zntp#&nL|${$f$%V zw!f?eh-6zvU6nCr>&`8G{7fS1{iWJABOb!Ubym5F^2%GESVdJI6#x!F_?qsEV9GEk zR52?tqB_PYOV?Da0s>{chU#0=?;8aK;s6@>L#bDAmVFz4uoKM8WXFAGt{!(3%PHgh zQtfXbk{J@|S4OOpw4FKS?Svk^UQJDm+t{pUi%xgOd)RV6IscL#D=p~VMy0iGPM&w~ zJVQz(-xB6(KUk{?P3?~uuOSpdXf~j2`x%5fZgF+i#<*)F)u)9wG{kTP)-xN2mw0}p zDnO~!4o+Ud1y?CL8a`085y;uJ^jguonu?r!r2akzN6pQ|>M_S8)7qkf&sT;RaBt0w zXW)%y$LMuX($G-aVUZJ3$#q}M&>}j2y}-`3ZHAU4mAmOkouim(^|boPprgly99_Y6 z>tyW^i6pb@PwT1Ck!9y}PQ92G^a`!OokyoaI&v zu@z)3(N1*lrfIb^o-EPEyTHyq%r7h5zXCu@F`l_M7GoDVj`Hzae6L^{2_UTEKGb$x zX6Cf{J?9ElM%aId5T{aFS*|}@K-)Uy44@|(#v)nLY$oyt_VWWpm`y#((TYEMu(nEQ z;;H*ino;45M{6iin~LWGmO#Ta&OKlvmDX&F*?;2gBUS3}wqd(W2@bylgOuKhTzcI_ z?)?r3xq@dQn}2{nxbl5XL8ax8)yaJjV>IQ)T9wW)pU%Zz?pMohZ zEfSxHp8dm4qyHD&{zDL$oj`fXfr!E7sAu&_*PBC<@5H5Bw!2w3eILn0LrwwbteUnF zTdiD*PviA0nsA6ka;plJ>OyaEw#)&M0vvQI;tp48n*|ni(%yabLN8;F>!Xl+?Z+^M zW&$D`1s9vap!B4oRzJm>mbCnN8N5=q4OI>Tr}T*bWepk%3E$;(DerQWkYeLF1}pyR zMw+(-QqP|Z*;kJ%-hq0t$}_5y&G;`U9!dT3HpdMNUOj2?U356)-(CQ3XW(rGMF07Y zd}_VH>t$-vMOH7hK?|VBd9hVeeDCqO9d$1kX)1&{qREuFlcW=Jc%*B84GMOntOBb5 z_gtKMOCWFVp|#*`mHG!PMJ61%*x%2!!Rq5ybc8CBgwrBr4Cfn}Ez4@?Mu81?YT8LM zWCDabsS_%y-H-q#1FQN{28|Z0Q4wY^1Cy$(P}|`udfi%K2tS6K?6CBkyZeZexBH5F3NnXABbU6X~;+arWH}Ntb&} zDF|g3;vO8#FKRCyDZl>N??{ZiQm^R)8Z-a}$uOi-0G-wJHeEGHprF&cpuOEl#A`^5 z(i`$f=4O4F4`DS(tjK?UFmSPANp9!M>3yhAXlXHVQ0a`|WHelpX1*Xev|k4sr2kAT$K&dJw$~fbKPtLQ^7R1)!dNK%2pM{XuRZ zifp(lDd`P(Kci`p8(d(Xf}gx_b8G3o_m=Rr;Iw<7+2#f2BrBbvLN;~*TUT%e7?Qr0 z@QE@H?Cg6AXdeirc1ap>h{Q2-)}7d58z@*J3*;$5f(+tHFv}eF1#~Dy#hAV_pZ!Na zI_%k8(L|!1Argd~M2P-cn67MJM6w}rZ|`cC&DOo7c#l(DzGKC!1fya=3tGrNVt>DO z!*um3+Y zB-f3*i@)8Yjq*oTOL;Nm+#IT|1;6rl`tw2C`XvmW&a1=B1vHg{+;C<4eyIX0S{xwL#FjuqPi&n(&huCB4_rU;5ea3=NoS?K!wb^Zun+?@d!( z$+Gir>0)nNUuq{V-Udh)ZiuXjj|22;7dC;pl7ObNy6$)EcpIG_y5CdR&LJw^p6B0r z2wN~)z;r{*9h5VC+K0dZIQpNQXF5KXu?DDJoceM5?>r7~OIrr^j?DZHSr!e|N}($9 zRY|N%%tGUvnf$xJ+;G=x-qrl0@>7hZp&_j1Q?hu02bw)X_C4)K-qkl%%R1H#4J5_p zfnmsX6FawgT+L>kK>^za#l*YHWP9%z;?T0->j`052lu-MHbiM`VSUVF&6m^UJf#y{ zu{e5G$LoCLK?oc1jH2qXhCgT?`c)Z!M$Hv*Y&JrV<^M^mPDK&OD-~J)K4+sZ&{bvZ zvKu5}Lsr@y>I85!Q}%$3bd46xdbZS-kW`u)f04Jwhk_H-1W>tm#tHMb9{JX&>+9kQ z5xRuYb zf6+y>*ZIjwk#C|@s?o9qa!zkzLP`a)v@aU)ApE`;MBs7Gf$_OzjpAdDpuuZP^4t++ zbO@#PbU6M4pKF$FIJLPc(nUFglEsFuh#O7`RmE$hth31CXPSt^CuLot)a8-xF1RF^ z;jO-vhsNaRc*9vj&ZB@b=7= z8s2PuLt1e5iNCEwh{MEBiE~`Pqw4CJuM37)Tt8)E?)BZj?)kTC?Oawx0KVs3x9}|* zuTaDtonlNPQ@re!ZTB^YQH3|cSpg2{OCgqe_A9tKNWGkLX&EcRE=-xNf=EcDPQ;p) zcrm+G7EzCVqvqS$Yg7$jH_z|tFAT$0Ua>F4qp7JATsvGHJ)CYKpLHmUbZ_vfGKyUbEn+>C#Y8b{m?;hVfgtNmsVFmar>vkkAjcOqIEH%Jxz~rn3 z{UP)umxX`jA;%jJkZJl&LU6hPe1{2Bc#Ow}jRpgpp{Vmy=MVAl6<2Nz5H|Bf?M3i~ zI-=k$=|*;90j=cgezURu36fIRj$Vraua{MT&g``Z>~Mul7P#o+oUl%~q+^3h{~S4X z#U;CnsWSOO{>reaR`JaD3bJwxV(8WW=)=7(M|lvWvcSA*#Bc!SD^dUy>td|nBH0`p z;sENBv%e{*EnKVcw>Eox*0dV?Ycv^BO|hP?B`zeUebZE4q z0zzI0{e&8))kDAjt?Uw&Y8H$tg+kL=`n|WNekL_njCxZCi267%YtB%M6YFp_Q zcjZg(r_#VE-|KatNCDTyuE_IdSZXP0s;wefJpIMHJvy73jB+uF``!`}ZJ=>~VlbRg zng0gFOCctbJY=~{h=po{it2c}54Qn9+6dZjl)eX067|jF(%``!_tM{Mowe+(qF!bI zQvG5(qkJVEhRc-J;Y8tgKi;tDdF;JAsIc(-t?KmXWciQvO0X}wes>gG zGyJMcb0pY@d zX@%Cc@m)7Go&6w$$+{=X!03lppV6Vsvr4(jWScBe*^i)tiHS?6CzgP=;zoTL6=lG_ z{0lsb<{-WCOLn3|CKRUDvf4q4WH(NkOfTzV;G<1BJ$>KYO;(~3WQ))Cn?HV zij5=brpH>7v0eq8j})>MQ8eQ@dhfl-*>DmTY?g`sB$Yl~2~*0L7H)xHWIpZFwvvyB zvtr4xLwFw1sp{iLCnOxqa+05+TiOPOlC+3JK2NCy+{wt*RSM%6efHHNbHkT}RTl;Iy@CTSY!G$J6wq`EDNF94wXT2lArO{{n%|EZHWhG<>r#!o;agt)MleQ(h!b9xZ z!0lHZmqTE8*1A&ksh!P8+mXj)tj-*#2vX?ExkTS`cl)eRWWYvgN*zk#&TP5LEluV% zv!ti0Y>Ve0kWlmm*i?>i+rW$UBipq?V5>|r7J`^vidJ7pLA0{9})tW6qG1IDYaXK&m{eto?Yd%(bOt^{|#z7$BAiGKZ_l zCT>xo0WKqpSvuCIK$J_iA6w6<AvSAf|76&eP%tgr~ZJo!^dLqr=KS)W66<*BiIOq~?JjlW)64 zEygvZ7UbjR_mT@FQAI!hPMBAap;f|V3!%#g5Rqq)NEGkOsD$pzur93*he!no3Z?&5 zj<5aoaSKL8dtIun*f|IGW1zv{_s4B!DaJtRktKp4U5&Z|7#-@s!W36q-@Xl*=q_Ui~PlNr}U{q%N*!lf^5L%I=zw|4Ftv52ns%r#Zy1}7-b^UND9CR>2UTx=?sv^}QTb3p=c zXdFvqG4zQ!sH3_h3Ys4{)_TBlW9X?_26oYoZoZkf(HIeP`-CB0lH2)%U&6Q(HKWw+ z(>k+!_3ZgzJk4symry#t2BoAP`Ir6G{>r?8|8|m)cXPXJgTRp?Y@3gHh2XKYM$CiH zAtxhjWLj-_g&CdB<7Y?`%~XC(bBroVf2E+#=w9aVIT2IX>R1a0(1H~yk1-Ne+(3zf z&$Ic>{+XChPV52hkf1}W#45~#a5dqwAV};B@C|!3c7QP}fdGGInq!jg3_n!TsC^)}#6H`aYQ;x0um-8>wcyvUZ432bw(-FnE z4O@0}qLXF#sA`93@wV|`s&N?}H$FyZfV(!wg3zu?^U;T6D4twr5%DckI(bs-vJm*0 z7#$u#*0%v)`AFejmQ?34y1c9iQ>jYehOXMjVum`(0k!rhEFg+0^I9g33i`*oi!7(y zIDdo=ciVswu#7Kuj&hopmT}Na((Mp6Mnv}*>jL<#L*S{CmjX4eh4wRHYQ9x^!zEw| zLXEaUd#*(*#!Q7@QZzte5P21TBoFNccw~gJ48`{pRA|*ITo=p{Q<}~wZ~a!2tmABq zh4EhZi9RUX_`81bNVW|=OL`F zkeDMvOnhyAGve{R@1e`;X^z^}@F343U8+1j~VR<53mO^>`S1O+y56 zEUdp86SMwdBM+>-r1!-alY1d=J+MILT~3Hm=;8ZY-sQf)K`H*lw##PhSWu=y&=Nk3E4N-5S6a)l7h1$SH@=Plar3RT8bmJs+6j)or1*rC2u46L&@s`6U_l@7u%(a3y>+%>f-pDqFE3C5*pbJQt+YrJuy^BxX4kpk1lpC)viDmS zu;3`zk-t_Q1or*RdZIUJQYgU%q8-92DQl2E_&M2`L;yTVmf{Xs*L<`KOsTp)GOYOF z-AX4lk8krFLnX>4ZuPjSz&yKHcWnrkf#;@iZbnu+rmVf>HU0nw>)VtTZtPgpSV@FL z6p&Aph?)dyd)&6b!-B0OuwHR2i{Ov-Li|la{JpCB&n4#xAg{6Nn4<%@eY?|IS70_0 zQL^ina!pG&>$h0di!@#5z$efB^Eq2qP6{<_2Vp7;1^pPU* zf#`|stWXY>)$rB+c~SM6o#SqB8%9XNLF)xqBae~%Z?!De@V|*ouOSI}9FP>#jM2vi zBfi(lNYyJ?{Fgy)@Tb{=KxwCIFZ-@5f^Wx}UCm~jo+Suat2FK!!G@+YAGXpS1zk!V-ez4+E*a$W+C1amGPTRnCIcMP|cTs|Ag6%RY-#3)9 z3)L_d8@y5m5ppxtNe~Q1NO5vf+xE)CWGdvxvH;3yh>Y-#RP79fdmkvewYO1X^>nNK zV0=Kd{JINUUj|Na+1J1`_{r$faOB=4oYNnEsjk#{$i6K(HkY}pj7=`$_(1@pK2zJ~ zu6Rw5C$|**NZ0Pm8mu#A-H5r?er=K6ZEiu!IZt#}X*J%n+UF!T8FeX&sx6h}W89MrvKtQRP`F+ zQC*3Z_YK^S8nlTcqj`oA{gkCqWV6dyHH{OT7?;N~^}vP@2}Pl5C$h{1?@)bF>Giuf z&2?bhP(3t^#|Z(9CC0DZC{ff7=?3 z^(#+hnL%!5FBVMB0S=MtRTxP_Bc6?_{6c)~I*^*e@z!j{nOQCU;%yrbERNoMYlFZ` zWbylE0njqQvwyq`7@VpK_|6dmc2)9ziESy@Yy*Zp#?&x}WKnc%8}K3Rh@qoKP9V6f zC`~8oR6t((uZuw#w{_)KS#$u-(I+**3x%B=E|I&4Bee0$7k7K>>lUtbEY#R+ZY-9@ z`Bv4z09Iy0@<~y&8uItPk!Gs1Q7-RH5cW(z#9+RWsad$XT?PJtupH{IyukG_N!eAKL4g}rB5)Y{kxR71%oL*WNjhO@btz5@3FC&GO+7QiPWubBogV!@V_nS>q8oi{+?7vxL{^j!lF3t~x68$Ir1{=X zBqAYl@c9?N#MvkxcPNNcZVQ$p1%^8p-h+lP+yoE82~-ohEy0JA(YYQ5xN_Qq!^OZH z;no-1**su!uVvE?Mn!MhwI z#Os z{aCwrI3Th5qMI5lIBR&QkT^1%If>%;cp%WZ^VPBbf^kMboMU_An3y8-9=lj1YQ)cTMN|njk-uxSL#1?3LX`k;z+t zG(aGqxez~;Cs;7JLd_EaFWtP?Si~DgZ{JTk*A* z4D9Rx+Argjgd0B4_s2apPWY%+#yEZ&s=e+8hKSdAixjkR23ASW@JeXG1obyFaGXoV zZ?_%|Y>(6iFPj79(uQ3FWU@U;?X|#=xz%P@4vSnu$nX^~6I6tWTXROQ18?xH7^1b6 z77*<4KUyn)r+}wOR=%M3ia^Gal(D+)tlGhjT2k$!In|~Yy6}?_meu*R=X3pLcwXHR(3AyLg%PfUDo;GU4`NM{Qi*!>VOd&O7Q<;N)Dg`#-{KiJHD zgyxOri9mco6MF#m%AEzK&bmF)(xIyMd@GdNI1ZdZt*CgoMfYm5r4MRl$CN*Hr7cIe zp#jgJh`MZ}V!RnJ47Q9bUUW0q{NM~YDgR`B5z2so=@~QF8995HO8r6r0KUFJ0E#jo zpr`d$6+9q7U+jjC+*P|)N(TAj@j`CBO8qb}c8u#O z)sbE*)l&^zPrtI#DMS*r0Ki%kw73q-hjC`-4}6w}URlX%d<;ORyPJqiT1nCX$CpzJ zv`4numinWtYi53=BgfS21rf0}%F~F!k*qZNQn0q0af8qdmN|HXOJgU?IAR9_d*&Y& zBiRRG{9!Q;Pska9jB0Mi6b|`$!_7GU$u&zwQj&0~_$EKnYSg^l#o79#4nJIMk#9Ob zbo~P5g{Z&9-}I6K0RRyH$v^`;yZ=kT|9q|8DT@N zKpx>kF2gshC_@C5lnQCMt@?mDFP!yFxY4O)LIyE!vV9t(+owG+YjMVMhy~&kI=NQZ zEto|2HpF%4SmJXRx*0E9kzzyNhA`qqfi?Ud;5qUKC~X!;5F7};h4EmAgJfD;kabE;^$`*fHnsf%S4q`nFJpf1ocC{pWT7R8fS@Fq@ zdHFU7Mz%GNpNW_vW>4m;@0fwG=|+@3~o9sNi>A5vKSh(n!V; zAn&cHYcF^n*Gc%Z`#I(6cIb11E(C~aMh{e5k7Jt~o%}4+p5dmB>zRkp3-8lJ@emD^ z)=h80q1exByA5I;V@-WK=11pYC&sJ99qT8ovvb!ZzsWnaDN}m)2han=|I2M4U^>8m z$5&*`%?;ykc4LA804V=GnE(4uTg2AJ$;8Gd{ zVfa`5AKmzSAU?kIJ&q&f0Km8R|0p7@{{nDya|3s)n00#X3UfchZ4gVfx|7lK-{15a09di|Bz`i;1 RUxb4J41W_38tuCR{6BQ)RKfrN literal 0 HcmV?d00001