Financial Sector CSP Security Assessment Consulting Services
We provide the following consulting services to cloud service providers seeking CSP security assessments.
1) Before applying for a CSP security assessments, we provide the necessary advice for companies to CSP security assessment requirements (11 areas, 54 items, and more than 200 detailed items). If a gap is identified in the company's security control during this process, we can provide the company with additional advice necessary to improve the gap.
2) We provide documentation and advice necessary for companies to provide CSP self-assessment reports to audit agencies (e.g., Financial Security Institute (FSI) or financial companies). During this process, if requests for evidence from audit agencies, demonstrations, on-site observations, etc. are expected, we can provide additional necessary advice to companies.
3) We provide advice necessary for companies to prepare for and respond to on-site audits by audit agencies.
4) We provide advice necessary to improve audit results, that is, findings.
5) We provide advice necessary for companies to prepare for and respond to audit agency confirmation checks.
6) For overseas companies, we can provide necessary translation and interpretation to companies throughout the above process.
The consulting period can range from 5 to 9 months depending on the audit scope of the company (e.g. IaaS, PaaS, SaaS) and the scope of consulting contracted with the company. The consulting process is as follows.
1) Basic consultation according to company inquiries.
During the consultation process, we check whether there are minimum corporate security controls and security organizations necessary to prepare for the corporate CSP security assessments. Depending on the result, consulting may be withheld.
2) Provision of quotation and standard contract (SOW) considering the scope of consulting work and execution period.
If an overseas travel audit is included, all expenses required for the consultant's overseas travel may be included in the estimate.
3) Contract signing
4) Consulting
5) Termination of contract
The following is the legal basis for the CSP security assessment.
Regulation on Supervision of Electronic Finance Article 14-2 (Procedures, etc. for Use of Cloud Computing Service)
(1) Each financial company or electronic financial business entity shall implement the following procedures when using the cloud computing services under subparagraph 3 of Article 2 of the Act on the Development of Cloud Computing and Protection of Its Users: <Amended, December 21, 2018>
1. Assessing the importance of the information processing system to be used based on its own criteria;
2. Assessing the soundness and safety of cloud computing service providers including the items in Attached Table 2-2;
3. Establishing and complying with its own outsourcing standards reflecting the matters set forth in Attached Table 2-3.
(2) Each financial company or electronic financial business entity shall have the Information Security Committee review and resolve the assessment results under Paragraph (1) and its own outsourcing standards under Article 8-2.<Amended, December 21, 2018>
(3) In cases where a financial company or an electronic financial business entity determines that it falls under any of the following cases under Paragraph 1(1), the company or the entity shall report to the Governor of the FSS by attaching the documents under each subparagraph of Paragraph (4) using the forms prescribed by the Governor of the FSS within 7 business days from the date scheduled to use the cloud computing service. In this case, the company or the entity shall be deemed to have filed a report in accordance with Article 7(1) through (3) of the Regulation on Outsourcing of Information Processing by Financial Companies.<Amended, December 21, 2018>
1. Processing unique identification information or personal credit information;
2. Having a substantial effect on the safety and reliability of electronic financial transactions.
(4) In case of filing a report to the Governor of the FSS under Paragraph (3), the company or the entity shall attach the following documents to the report:<Newly Inserted, December 21, 2018>
1. Documents relating to the subparagraphs of Article 7(1) of the Regulation on Outsourcing of Information Processing by Financial Companies;
2. The criteria and results of assessment of importance under Paragraph (1)1;
3. Matters relating to continuity plans and security measures related to the use of cloud computing services;
4. Results of the review and resolution of the Information Security Committee under Paragraph (2).
(5) A financial company or an electronic financial business entity using the cloud computing service shall keep the documents under the subparagraphs of Paragraph (4) up to date regardless of whether it is required to file a report under Paragraph (3) and, upon the request of the Governor of the FSS, provide the said documents without delay.<Newly Inserted, December 21, 2018>
(6) In case of a change falling under any of the following subparagraphs, a financial company or an electronic financial business entity shall report the change to the Governor of the FSS within 7 business days from its occurrence along with the cause of the change, related materials, and response plan:<Newly Inserted, December 21, 2018>
1. Where the cloud computing service agreement is materially changed on account of the merge, spin-off, assignment of contractual status, and sub-outsourcing of the cloud computing service provider;
2. Where the cloud computing service provider fails to perform material terms and conditions of the agreement relating to the maintenance of service quality and the ensuring of safety, etc.;
3. Where a material change occurs relating to Paragraph (4)2 or 3.
(7) In cases where the Governor of the FSS determines that any of the documents under Paragraph (3) or (6) is missing, or the importance assessment or measures to ensure the safety in the continuity plan is not sufficient, the Governor may demand the financial company or the electronic financial business entity to remedy the insufficiency.<Amended, December 21, 2018>
(8) Subparagraphs 11 and 12 of Article 11 and Article 15(1)5 shall not be applied to IT rooms where the information processing systems of a cloud computing service provider who completed the procedures under Paragraph (2) are located: Provided, That, in cases where a financial company or an electronic financial business entity (excluding a domestic branch of foreign financial company which does not have a substantial effect on the safety and reliability of electronic financial transactions and electronic payment settlement service provider for foreign cyber marketplaces under Article 50-2) processes unique identification information or personal credit information under Paragraph (3)1 using clouding computing services, subparagraph 12 of Article 11 shall be applied and the relevant information processing system shall be installed in the Republic of Korea. <Proviso Newly Inserted, December 21, 2018>
(9) The Regulation on Outsourcing of Information Processing by Financial Companies shall apply to the other matters relating to the use of cloud computing services by a financial company or an electronic financial business entity.<Newly Inserted, December 21, 2018>
[Article Newly Inserted, October 5, 2016]
Financial Sector CSP Security Assessment Consulting Services
We provide the following consulting services to cloud service providers seeking CSP security assessments.
1) Before applying for a CSP security assessments, we provide the necessary advice for companies to CSP security assessment requirements (11 areas, 54 items, and more than 200 detailed items). If a gap is identified in the company's security control during this process, we can provide the company with additional advice necessary to improve the gap.
2) We provide documentation and advice necessary for companies to provide CSP self-assessment reports to audit agencies (e.g., Financial Security Institute (FSI) or financial companies). During this process, if requests for evidence from audit agencies, demonstrations, on-site observations, etc. are expected, we can provide additional necessary advice to companies.
3) We provide advice necessary for companies to prepare for and respond to on-site audits by audit agencies.
4) We provide advice necessary to improve audit results, that is, findings.
5) We provide advice necessary for companies to prepare for and respond to audit agency confirmation checks.
6) For overseas companies, we can provide necessary translation and interpretation to companies throughout the above process.
The consulting period can range from 5 to 9 months depending on the audit scope of the company (e.g. IaaS, PaaS, SaaS) and the scope of consulting contracted with the company. The consulting process is as follows.
1) Basic consultation according to company inquiries.
During the consultation process, we check whether there are minimum corporate security controls and security organizations necessary to prepare for the corporate CSP security assessments. Depending on the result, consulting may be withheld.
2) Provision of quotation and standard contract (SOW) considering the scope of consulting work and execution period.
If an overseas travel audit is included, all expenses required for the consultant's overseas travel may be included in the estimate.
3) Contract signing
4) Consulting
5) Termination of contract
The following is the legal basis for the CSP security assessment.
Regulation on Supervision of Electronic Finance Article 14-2 (Procedures, etc. for Use of Cloud Computing Service)
(1) Each financial company or electronic financial business entity shall implement the following procedures when using the cloud computing services under subparagraph 3 of Article 2 of the Act on the Development of Cloud Computing and Protection of Its Users: <Amended, December 21, 2018>
1. Assessing the importance of the information processing system to be used based on its own criteria;
2. Assessing the soundness and safety of cloud computing service providers including the items in Attached Table 2-2;
3. Establishing and complying with its own outsourcing standards reflecting the matters set forth in Attached Table 2-3.
(2) Each financial company or electronic financial business entity shall have the Information Security Committee review and resolve the assessment results under Paragraph (1) and its own outsourcing standards under Article 8-2.<Amended, December 21, 2018>
(3) In cases where a financial company or an electronic financial business entity determines that it falls under any of the following cases under Paragraph 1(1), the company or the entity shall report to the Governor of the FSS by attaching the documents under each subparagraph of Paragraph (4) using the forms prescribed by the Governor of the FSS within 7 business days from the date scheduled to use the cloud computing service. In this case, the company or the entity shall be deemed to have filed a report in accordance with Article 7(1) through (3) of the Regulation on Outsourcing of Information Processing by Financial Companies.<Amended, December 21, 2018>
1. Processing unique identification information or personal credit information;
2. Having a substantial effect on the safety and reliability of electronic financial transactions.
(4) In case of filing a report to the Governor of the FSS under Paragraph (3), the company or the entity shall attach the following documents to the report:<Newly Inserted, December 21, 2018>
1. Documents relating to the subparagraphs of Article 7(1) of the Regulation on Outsourcing of Information Processing by Financial Companies;
2. The criteria and results of assessment of importance under Paragraph (1)1;
3. Matters relating to continuity plans and security measures related to the use of cloud computing services;
4. Results of the review and resolution of the Information Security Committee under Paragraph (2).
(5) A financial company or an electronic financial business entity using the cloud computing service shall keep the documents under the subparagraphs of Paragraph (4) up to date regardless of whether it is required to file a report under Paragraph (3) and, upon the request of the Governor of the FSS, provide the said documents without delay.<Newly Inserted, December 21, 2018>
(6) In case of a change falling under any of the following subparagraphs, a financial company or an electronic financial business entity shall report the change to the Governor of the FSS within 7 business days from its occurrence along with the cause of the change, related materials, and response plan:<Newly Inserted, December 21, 2018>
1. Where the cloud computing service agreement is materially changed on account of the merge, spin-off, assignment of contractual status, and sub-outsourcing of the cloud computing service provider;
2. Where the cloud computing service provider fails to perform material terms and conditions of the agreement relating to the maintenance of service quality and the ensuring of safety, etc.;
3. Where a material change occurs relating to Paragraph (4)2 or 3.
(7) In cases where the Governor of the FSS determines that any of the documents under Paragraph (3) or (6) is missing, or the importance assessment or measures to ensure the safety in the continuity plan is not sufficient, the Governor may demand the financial company or the electronic financial business entity to remedy the insufficiency.<Amended, December 21, 2018>
(8) Subparagraphs 11 and 12 of Article 11 and Article 15(1)5 shall not be applied to IT rooms where the information processing systems of a cloud computing service provider who completed the procedures under Paragraph (2) are located: Provided, That, in cases where a financial company or an electronic financial business entity (excluding a domestic branch of foreign financial company which does not have a substantial effect on the safety and reliability of electronic financial transactions and electronic payment settlement service provider for foreign cyber marketplaces under Article 50-2) processes unique identification information or personal credit information under Paragraph (3)1 using clouding computing services, subparagraph 12 of Article 11 shall be applied and the relevant information processing system shall be installed in the Republic of Korea. <Proviso Newly Inserted, December 21, 2018>
(9) The Regulation on Outsourcing of Information Processing by Financial Companies shall apply to the other matters relating to the use of cloud computing services by a financial company or an electronic financial business entity.<Newly Inserted, December 21, 2018>
[Article Newly Inserted, October 5, 2016]