ENFORCEMENT DECREE OF THE ACT ON THE PROTECTION OF INFORMATION AND COMMUNICATIONS INFRASTRUCTURE
Presidential Decree No. 17308, Jul. 16, 2001
Amended by Presidential Decree No. 18006, jun. 23, 2003
Presidential Decree No. 18312, Mar. 17, 2004
Presidential Decree No. 18594, Dec. 3, 2004
Presidential Decree No. 19513, jun. 12, 2006
Presidential Decree No. 20741, Feb. 29, 2008
Presidential Decree No. 21214, Dec. 31, 2008
Presidential Decree No. 21692, Aug. 18, 2009
Presidential Decree No. 22879, Apr. 6, 2011
Presidential Decree No. 23806, May 23, 2012
Presidential Decree No. 24425, Mar. 23, 2013
Presidential Decree No. 25751, Nov. 19, 2014
Presidential Decree No. 25840, Dec. 9, 2014
Presidential Decree No. 26728, Dec. 22, 2015
Presidential Decree No. 28210, Jul. 26, 2017
CHAPTER I GENERAL PROVISIONS
| Article 2 (Members of the Committee for Protection of Information and Communications Infrastructure) |
"Public officials holding a rank equivalent to that of a Vice Minister of a central administrative agency prescribed by Presidential Decree” in Article 3 (3) of the Act on the Protection of Information and Communications Infrastructure (hereinafter referred to as the “Act”) means any of the following persons. In such cases, if the agency has two or more public officials holding a rank equivalent to that of a Vice Minister, the head of such agency shall designate a member: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 25751, Nov. 19, 2014; Presidential Decree No. 28210, Jul. 26, 2017> | 1. | Vice Minister of Strategy and Finance; |
| 2. | Vice Minister of Science and ICT; |
| 3. | Vice Minister of Foreign Affairs; |
| 4. | Vice Minister of Justice; |
| 5. | Vice Minister of National Defence; |
| 6. | Vice Minister of the Interior and Safety; |
| 7. | Vice Minister of Trade, Industry and Energy; |
| 8. | Vice Minister of Health and Welfare; |
| 9. | Vice Minister of Employment and Labor; |
| 10. | Vice Minister of Land, Infrastructure and Transport; |
| 11. | Vice Minister of Oceans and Fisheries; |
| 12. | Deputy Director of National Intelligence Service; |
| 13. | Vice Chairman of Financial Services Commission; |
| 14. | Standing Commissioner of Korea Communications Commission. |
[This Article Wholly Amended by Presidential Decree No. 23806, May 23, 2012]
| Article 3 (Operation of the Committee for Protection of Information and Communications Infrastructure) |
| (1) | The chairperson of the Committee for Protection of Information and Communications Infrastructure (hereinafter referred to as the “Committee”) shall convene and preside over meetings of the Committee. |
| (2) | Where the chairperson fails to perform his/her duties due to any inevitable circumstance, members of the Committee shall act for the chairperson in the order of members designated by the chairperson. |
| (3) | The Committee shall assign one secretary, who shall be a member of the Senior Civil Service in charge of the protection of information and communications infrastructure within the Office for Government Policy Coordination to perform the duties of the Committee. <Amended by Presidential Decree No. 20741, Feb. 29, 2008; Presidential Decree No. 23806, May 23, 2012; Presidential Decree No. 24425, Mar. 23, 2013> |
| (4) | When a Committee meeting is called, each member shall be notified of the date, time, place, and agenda of the meeting in writing or by electronic document by not later than seven days before the meeting: Provided, That this shall not apply in cases of emergency or any inevitable circumstance. |
| (5) | Where deemed necessary to deliberate upon the matters provided for in Article 4 of the Act, the chairperson may request a relevant expert or the head of a relevant specialized institution to examine them and report the results thereof. |
| Article 4 (Proceedings and Quorum for Resolution) |
The Committee shall pass a resolution with the attendance of a majority of its incumbent members and with the concurrent vote of a majority of those present.
| Article 5 (Organization and Operation of Working Committees) |
| (1) | A working committee in charge of the public sector (hereinafter referred to as “Working Committee for Public Sector”) and a working committee in charge of the private sector (hereinafter referred to as “Working Committee for Private Sector”) shall be established under the control of the Committee pursuant to Article 3 (4) of the Act, and each working committee shall be comprised of up to 25 members, including a chairperson. |
| (2) | The Deputy Director of the National Intelligence Service shall serve as a chairperson of the Working Committee for Public Sector, and the Second Vice Minister of Science and ICT shall serve as a chairperson of the Working Committee for Civil Sector. The chairperson of each Working Committee shall convene and preside over meetings of the relevant Working Committee. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (3) | Members of each Working Committee shall be appointed or commissioned by the chairperson of the relevant Working Committee from among the following persons: |
| 1. | A public official who shall be a member of the Senior Civil Service Corps under a central administrative agency (hereinafter referred to as “relevant central administrative agency”) having jurisdiction over the critical information and communications infrastructure (hereinafter referred to as “critical information and communications infrastructure”) designated under Article 8 of the Act, or an equivalent public official; |
| 2. | An executive officer or employee of an agency which manages critical information and communications infrastructure (hereinafter referred to as “management agency”). |
| (4) | Each Working Committee shall assist the Committee in deliberating on the protection of critical information and communications infrastructure classified in the following subparagraphs: |
| 1. | Working Committee for Public Sector: The following critical information and communications infrastructure: |
| (a) | Critical information and communications infrastructure managed by a central administrative agency, local government or the head of an agency affiliated thereto; |
| (b) | Critical information and communications infrastructure managed by the National Assembly, the courts, the Constitutional Court, the National Election Commission or the head of an agency affiliated thereto; |
| 2. | Working Committee for Private Sector: Critical information and communications infrastructure other than those provided for in subparagraph 1. |
| (5) | Each Working Committee shall examine and deliberate upon matters entrusted by the Committee or ordered by the chairperson of the Committee concerning the protection of critical information and communications infrastructure classified under paragraph (4). |
| (6) | Articles 3 (2) through (5) and 4 shall apply mutatis mutandis to the operation of each Working Committee. In such cases, “Committee” shall be construed as “each Working Committee”, “chairperson” as “chairperson of each Working Committee”, and “public official who shall be a member of the Senior Civil Service Corps in charge of the protection of information and communications infrastructure within the Office for Government Policy Coordination” as “person designated by the chairperson of each Working Committee from among its public officials.” <Amended by Presidential Decree No. 24425, Mar. 23, 2013> |
[This Article Wholly Amended by Presidential Decree No. 23806, May 23, 2012]
| Article 6 (Allowance, etc. of Committee) |
Allowance and travel expenses may be paid to the members, interested parties and experts present at a meeting of the Committee or the Working Committee within budgetary limits: Provided, That where a public official attends a meeting of the Committee in direct relation to his/her duties, this shall not apply.
| Article 7 (Detailed Rules for Operation) |
Except as expressly provided for in this Decree, matters necessary for the operation of the Committee and Working Committees shall be determined by the chairperson of the relevant Committee upon a resolution by each relevant Committee.
| Article 8 (Establishment of Measures to Protect Critical Information and Communications Infrastructure) |
Pursuant to Article 5 (2) and (3) of the Act, the head of a management agency and the head of a local government shall establish measures to protect critical information and communications infrastructure (hereinafter referred to as “measures to protect critical information and communications infrastructure”) under Article 5 (1) of the Act for the following year, and submit them to the head of a relevant central administrative agency by every August 31. [This Article Wholly Amended by Presidential Decree No. 23806, May 23, 2012]
| Article 9 (Designation, etc. of Person Responsible for Protection of Information) |
| (1) | Pursuant to the main body of Article 5 (4) of the Act, the head of a management agency shall designate a public official of grade 4 or equivalent thereto, public official of grade 5 or equivalent thereto, field grade officer or executive manager or operator who engages in duties concerning the protection of critical information and communications infrastructure as a chief information security officer. <Amended by Presidential Decree No. 23806, May 23, 2012> |
| (2) | A chief information security officer under paragraph (1) shall exercise overall control over the following duties: |
| 1. | Establishment and implementation of measures to protect critical information and communications infrastructure under Article 5 (1) of the Act; |
| 3. | Analysis and evaluation of vulnerabilities and composition of a task force under Article 9 of the Act; |
| 4. | Compliance with an order to take measures or recommendations necessary for the protection of critical information and communications infrastructure under Article 11 (1) of the Act; |
| 6. | Measures to recover and protect the relevant critical information and communications infrastructure under Article 14 (1) of the Act; |
| 7. | Matters concerning the duties to protect critical information and communications infrastructure, as prescribed by other statutes. |
| (3) | When the head of a management agency has appointed a person responsible for the protection of information, he/she shall notify such fact the head of a competent central administrative agency. |
| Article 9-2 (Confirmation of Whether Measures to Protect Critical Information and Communications Infrastructure are Taken) |
| (1) | “The head of a national agency determined by Presidential Decree, such as the Director of National Intelligence Service” in Article 5-2 (1) of the Act shall refer to the Director of National Intelligence Service or the Minister of National Defense. |
| (2) | Pursuant to Article 5-2 (1) of the Act, the Minister of Science and ICT, the Director of National Intelligence Service or the Minister of National Defense may confirm whether a management agency has taken measures to protect his/her critical information and communications infrastructure as classified in the following subparagraphs: <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | The Minister of Science and ICT: Critical information and communications infrastructure provided for in Article 5 (4) 2; |
| 2. | The Director of National Intelligence Service: Critical information and communications infrastructure (excluding critical information and communications infrastructure for national defense under subparagraph 3) provided for in Article 5 (4) 1; |
| 3. | The Minister of National Defense: Critical information and communications infrastructure for national defense. |
| (3) | Pursuant to Article 5-2 of the Act, the Minister of Science and ICT, the Director of National Intelligence Service or the Minister of National Defense may request the management organization of critical information and communications infrastructure classified under paragraph (2) to submit materials necessary to confirm whether measures to protect such critical information and communications infrastructure have been taken, and may confirm and check the details of protection activities conducted according to such measures. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (4) | Where the Minister of Science and ICT or the Director of National Intelligence Service intends to confirm whether measures to protect critical information and communications infrastructure have been taken under Article 5-2 of the Act, he/she shall consult the head of the relevant central administrative agency concerning the confirmation procedures in advance, and the Minister of Science and ICT, the Director of National Intelligence Service or the Minister of National Defense shall notify the relevant management agency of such procedures, etc. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (5) | If necessary to confirm whether measures to protect critical information and communications infrastructure have been taken under Article 5-2 of the Act, the Minister of Science and ICT, the Director of National Intelligence Service or the Minister of National Defense may request support from an institution for the protection and support of critical information and communications infrastructure specified in Article 12. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (6) | Except as expressly provided for in paragraphs (1) through (5), details concerning confirmation as to whether measures to protect critical information and communications infrastructure have been taken under Article 5-2 of the Act shall be determined after consultation between the Minister of Science and ICT and the Director of National Intelligence Service. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 23806, May 23, 2012]
| Article 9-3 (Reporting on Confirmation of Whether Measures to Protect Critical Information and Communications Infrastructure are Taken) |
| (1) | The Minister of Science and ICT, the Director of National Intelligence Service or the Minister of National Defense shall report, to the Committee, the results of confirmation of whether measures to protect critical information and communications infrastructure have been taken under Article 5-2 of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (2) | The Minister of Science and ICT, the Director of National Intelligence Service or the Minister of National Defense may recommend improvement to the management agency deemed to require supplementation upon confirmation of whether measures to protect critical information and communications infrastructure have been taken under Article 5-2 of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (3) | The Minister of Science and ICT or the Director of National Intelligence Service may reflect the results of confirmation of whether measures to protect critical information and communications infrastructure have been taken under Article 5-2 of the Act in guidelines for formulating measures to protect critical information and communications infrastructure and plans to protect critical information and communications infrastructure (hereinafter referred to as “plans to protect critical information and communications infrastructure”) under Article 6 (1) of the Act for the following year. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (4) | The Minister of Science and ICT and the Director of National Intelligence Service shall share the results of confirmation of whether measures to protect critical information and communications infrastructure have been taken in order to effectively protect and support critical information and communications infrastructure pursuant to Article 7 of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 23806, May 23, 2012]
| Article 10 (Formulation, etc. of Plans for Protecting Critical Information and Communications Infrastructure) |
| (1) | The head of a relevant central administrative agency shall submit to the Committee detailed outcomes of implementing the plan for protecting critical information and communications infrastructure of the previous year and a plan for protecting critical information and communications infrastructure for the following year in accordance with Article 6 (2) of the Act by October 31 each year. <Amended by Presidential Decree No. 23806, May 23, 2012> |
| (2) | The Minister of Science and ICT and the Director of National Intelligence Service may prepare guidelines for formulating measures to protect critical information and communications infrastructure and plans for protecting critical information and communications infrastructure for the following year in accordance with Article 6 (4) of the Act by May 31 each year, and notify the relevant central administrative agency thereof. In such cases, the head of the relevant central administrative agency notified of the guidelines for drafting measures to protect critical information and communications infrastructure shall give notice of such guidelines to the head of the management agency of critical information and communications infrastructure under his/her jurisdiction (including the head of a local government obliged to submit measures to protect critical information and communications infrastructure pursuant to Article 5 (3) of the Act). <Amended by Presidential Decree No. 20741, Feb. 29, 2008; Presidential Decree No. 23806, May 23, 2012; Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (3) | The head of a relevant central administrative agency shall finalize a plan for protecting critical information and communications infrastructure for the following year by December 31 after deliberation by the Committee. <Amended by Presidential Decree No. 23806, May 23, 2012> |
| Article 11 (Designation, etc. of Chief Information Security Officer) |
| (1) | The head of a relevant central administrative agency shall designate a public official at a manager level in charge of the protection of critical information and communications infrastructure as a chief information security officer under Article 6 (5) of the Act. |
| (2) | An officer in charge of information protection exercises overall control over the following duties pursuant to paragraph (1): |
| 1. | Formulation and implementation of a plan for protecting critical information and communications infrastructure under Article 6 (1) of the Act; |
| 2. | Designation of critical information and communications infrastructure and revocation thereof under Article 8 of the Act; |
| 4. | Measures necessary to prevent the spread of damage caused by intrusion and to readily respond to such incidents under the latter part of Article 13 (1) of the Act; |
| 6. | Matters regarding duties to protect critical information and communications infrastructure prescribed by other statutes. |
| Article 12 (Scope of Institutions for Protection and Support of Critical Information and Communications Infrastructure) |
“Specialized institutions prescribed by Presidential Decree” in Article 7 (1) of the Act means the following: <Amended by Presidential Decree No. 26728, Dec. 22, 2015> [This Article Wholly Amended by Presidential Decree No. 23806, May 23, 2012]
| Article 13 (Selection of Designation Units) |
| (1) | The head of a central administrative agency shall require the head of an agency managing facilities considered appropriate to be designated as critical information and communications infrastructure or considered equivalent thereto (hereinafter referred to as “agency organization managing facilities to be designated”) to select a basic unit (hereinafter referred to as “designation unit”) to designate critical information and communications infrastructure in consideration of the matters specified in Article 8 (1) of the Act. |
| (2) | The head of an agency managing facilities to be designated shall consider the matters specified in Article 8 (1) of the Act and reflecting special features of the relevant agency in selecting a designation unit. |
| (3) | The head of an agency managing facilities to be designated may determine the scope of specific facilities related to a designation unit. |
| (4) | Deleted. <by Presidential Decree No. 25840, Dec. 9, 2014> |
| (5) | The head of a relevant central administrative agency may examine whether the selection of a designation unit under paragraph (2) and the scope of specific facilities related to a designation unit under paragraph (3) are reasonable, and adjust them if necessary: Provided, That where the head of a central administrative agency is the head of an agency managing facilities to be designated, he/she shall directly determine the scope of specific facilities related to a designation unit for facilities under his/her control. <Amended by Presidential Decree No. 23806, May 23, 2012; Presidential Decree No. 25840, Dec. 9, 2014> |
| Article 14 (Self-Evaluation for Designation) |
| (1) | The head of a central administrative agency may prepare guidelines for evaluation to designate as critical information and communications infrastructure, and notify the same to the head of an agency managing facilities to be designated. |
| (2) | The head of an agency managing facilities to be designated shall evaluate a designation unit selected, and the scope of specific facilities determined, under Article 13 (2) and (3) according to the guidelines for evaluation under paragraph (1) to have his/her facilities designated as critical information and communications infrastructure, and shall submit the results of such evaluation to the head of the relevant central administrative agency: Provided, That this shall not apply where the head of a central administrative agency who is also the head of an agency managing facilities to be designated has evaluated them for the designation. |
| Article 15 (Review of Evaluation) |
| (1) | The head of a central administrative agency shall review the results of self-evaluation submitted by the head of an agency managing facilities to have his/her facilities designated as critical information and communications infrastructure under the main sentence of Article 14 (2) to determine whether such self-evaluation has been conducted in an objective and appropriate manner pursuant to each subparagraph of Article 8 (1) of the Act. |
| (2) | The head of a central administrative agency may conduct a review under paragraph (1) upon deliberation by a committee comprised of related experts in order to ensure the objectivity of designation. |
| (3) | Where the head of a central administrative agency finds, upon a review under paragraph (1), that the head of an agency managing facilities to be designated has evaluated the relevant facilities falsely or omitted it without reasonable grounds, he/she may instruct or recommend the head of such agency to conduct reevaluation. |
| Article 16 (Notification, etc. of Designation or Revocation of Designation) |
When designating critical information and communications infrastructure or revoking such designation, the head of a central administrative agency shall immediately notify the head of the relevant management agency of such fact, and publish the following information in the Official Gazette:
| 2. | Name of critical information and communications infrastructure; |
| 3. | Name of a management agency; |
| 5. | Grounds for designation or for revocation of designation. |
| Article 16-2 (Recommending, etc. Designation of Critical Information and Communications Infrastructure) |
| (1) | The Minister of Science and ICT and the Director of National Intelligence Service may form an investigation team for designation as critical information and communications infrastructure (hereinafter referred to as “investigation team”) for each field, classified under Article 9-2 (2) in order to select critical information and communications infrastructure to be designated under Article 8-2 of the Act, and may direct each investigation team to examine the need for designation as critical information and communications infrastructure in consideration of the matters specified in Article 8 (1) of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (2) | The Minister of Science and ICT and the Director of National Intelligence Service may consult the head of an agency managing critical information and communications infrastructure to be designated and the head of a central administrative agency having jurisdiction over such agency before recommending the head of the central administrative agency to designate critical information and communications infrastructure pursuant to Article 8-2 (1) of the Act. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (3) | Where the head of a central administrative agency has been recommended to designate information and communications infrastructure under his/her jurisdiction as critical information and communications infrastructure pursuant to paragraph (1), he/she shall determine whether to designate critical information and communications infrastructure after selecting a designation unit pursuant to Article 13, conducting self-evaluation under Article 14, and performing a review under Article 15 within 60 days, and notify the Minister of Science and ICT or the Director of National Intelligence Service who has recommended such designation. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| (4) | Matters necessary for the organization and operation of an investigation team under paragraph (2) shall be determined by consultation between the Minister of Science and ICT and the Director of National Intelligence Service. <Amended by Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
[This Article Newly Inserted by Presidential Decree No. 23806, May 23, 2012]
| Article 17 (Timing to Analyse and Evaluate Vulnerabilities) |
| (1) | When information and communications infrastructure is designated as critical information and communications infrastructure, the head of the competent management agency shall analyze and evaluate vulnerabilities pursuant to Article 9 (1) of the Act within six months from the date of designation: Provided, That where deemed that the head of a management agency fails to analyze and evaluate vulnerabilities of critical information and communications infrastructure under his/her jurisdiction within six months from the date of designation due to any extenuating circumstance, the head of the management agency shall implement such analysis and evaluation within nine months from the date of designation after obtaining approval from the head of the competent central administrative agency. |
| (2) | The head of a management agency shall analyze and evaluate vulnerabilities of critical information and communications infrastructure under his/her jurisdiction each year after he/she has analyzed and evaluated them first under paragraph (1): Provided, That where serious changes occur in critical information and communications infrastructure or the head of a management agency deems it necessary to analyze and evaluate vulnerabilities, the analysis and evaluation of vulnerabilities may be conducted even before one year has passed. <Amended by Presidential Decree No. 23806, May 23, 2012> |
| Article 18 (Methods and Procedures for Analysis and Evaluation of Vulnerabilities) |
| (1) | Where the head of a management agency forms a task force team to analyze and evaluate vulnerabilities pursuant to Article 9 (2) of the Act, he/she shall ensure that the task force team analyzes and evaluates vulnerabilities objectively and effectively in consideration of the matters set forth in attached Table 1. |
| (2) | Where the head of a management agency entrusts an institution specified in Article 9 (3) of the Act with the analysis and evaluation of vulnerabilities of critical information and communications infrastructure under his/her control, he/she shall take appropriate measures to prevent the disclosure of the management agency's confidential information that an institution analyzing and evaluating vulnerabilities has become aware of. |
| (3) | Where the head of a management agency entrusts an institution specified in Article 9 (3) of the Act with the analysis and evaluation of vulnerabilities pursuant to the same paragraph, he/she shall order the entrusted institution to analyze and evaluate vulnerabilities. |
| (4) | The standards for the analysis and evaluation of vulnerabilities under Article 9 (4) of the Act shall include the following: |
| 1. | Procedures for the analysis and evaluation of vulnerabilities; |
| 2. | Scope and items of the analysis and evaluation of vulnerabilities; |
| 3. | Method of the analysis and evaluation of vulnerabilities. |
| Article 19 (Analysis and Evaluation of Vulnerabilities by Information Sharing and Analysis Center) |
| (2) | With respect to the field in which the management agency in multiple having joined an information sharing and analysis center is conducting businesses through information and communications network, the analysis and evaluation of vulnerabilities in mutually interconnected critical information and communications infrastructure shall be conducted with the approval of the competent management agency. |
| Article 20 (Formulation of Protection Guidelines) |
| (1) | The protection guidelines provided for in Article 10 of the Act shall include the following matters necessary to protect critical information and communications infrastructure: |
| 1. | Management and operation of an information protection system; |
| 2. | Analysis and evaluation of vulnerabilities and prevention of intrusions; |
| 3. | Response to an intrusion and recovery. |
| (2) | The head of a relevant central administrative agency shall notify the head of the competent management agency of the formulation, revision, or supplementation of protection guidelines. |
| Article 21 (Notification of Intrusion) |
| 1. | Date and time of intrusion, and facility where an intrusion has occurred; |
| 2. | Details of the resulting damage; |
| 3. | Other matters necessary for swift response and recovery. |
| (2) | A relevant administrative agency provided for in Article 13 (1) of the Act shall be an agency performing duties of national security (only applicable to critical information and communications infrastructure which the head of a national agency or local government manages as the head of a management agency, and critical information and communications infrastructure falling under Article 7 (2) of the Act) or a relevant central administrative agency. |
| (3) | Except as provided for in this Decree, matters necessary for the procedures for and methods of notifying the occurrence of an intrusion may be determined by the head of a relevant central administrative agency. |
| Article 22 (Organization, etc. of Headquarters for Countermeasures against Intrusion in Information and Communications Infrastructure) |
| (1) | The Headquarters for Countermeasures against Intrusion in Information and Communications Infrastructure (hereinafter referred to as the “Countermeasure Headquarters”) under Article 15 (1) of the Act shall be comprised of persons designated by the Director of the Countermeasure Headquarters from among public officials of the central administrative agency relating to the protection of information and communications infrastructure, and persons dispatched under Article 15 (2) of the Act. |
| (2) | The Director of the Countermeasure Headquarters shall be assisted by two deputy heads of departments, appointed by the Director of the Countermeasure Headquarters from among the members of the Countermeasure Headquarters under paragraph (1). |
| (3) | The Director of the Countermeasure Headquarters may establish and operate a working team by function to respond appropriately to intrusions. |
| Article 23 (Operation of the Countermeasure Headquarters) |
| (1) | The Director of the Countermeasure Headquarters shall represent the Countermeasure Headquarters, and be responsible for all the general duties. |
| (2) | Where deemed necessary to effectively remedy any damage caused by an intrusion, the Director of the Countermeasure Headquarters may convene a meeting (hereinafter referred to as “meeting of the Countermeasure Headquarters”; hereafter the same shall apply in this Article) in which members of the Countermeasure Headquarters participate pursuant to Article 22 (1): Provided, That the following matters shall be presented as agenda items at a meeting of the Countermeasure Headquarters without fail: |
| 1. | Recovery of facilities damaged by an intrusion; |
| 2. | Measures necessary to prevent the spread of damage; |
| 3. | Standards for calculating the amount of damage; |
| 4. | Measures to prevent the occurrence of a similar intrusion. |
| (3) | The Director of the Countermeasure Headquarters shall report to the Committee the results of investigation into an intrusion and measures to prevent the recurrence thereof. <Newly Inserted by Presidential Decree No. 23806, May 23, 2012> |
| (4) | Except as provided for in this Decree, matters necessary for the operation of the Countermeasure Headquarters, its meetings, the organization and operation of a working team by function under Article 22 (3), etc. shall be determined by the Director of the Countermeasure Headquarters. <Amended by Presidential Decree No. 23806, May 23, 2012> |
| Article 24 (Notification of Establishment of Information Sharing and Analysis Center) |
| (1) | In order to notify the following matters under Article 16 (2), the head of an information sharing and analysis center shall submit, to the head of a relevant central administrative agency, a notice of the establishment of the information sharing and analysis center in the form prescribed by Ordinance of the Ministry of Science and ICT within 30 days from such establishment: <Amended by Presidential Decree No. 20741, Feb. 29, 2008; Presidential Decree No. 23806, May 23, 2012; Presidential Decree No. 24425, Mar. 23, 2013; Presidential Decree No. 28210, Jul. 26, 2017> |
| 1. | Organizational name and a place of business; |
| 2. | Personal information of a representative and executive officers (names, addresses, dates of birth, and work experiences); |
| 4. | Methods of financing, such as membership dues and commission; |
| 5. | Operating rules (including articles of association in case of a corporation); |
| 6. | Matters falling under subparagraphs 1 and 2 concerning the relevant consignment agency, in the event of outsourcing. |
| (2) | The head of the central administrative agency, upon receipt of a notice under paragraph (1), shall confirm whether some matters are omitted among those notified, prepare a management ledger, and maintain and manage such. Where any omission is found, he/she may issue an order to make supplementation within a period of up to 30 days. |
| (3) | Where the head of an information sharing and analysis center intends to revise the matters notified under paragraph (2), he/she shall notify the head of a relevant central administrative agency thereof within 30 days from the date any cause or event that leads to such revision arises. |
| Article 24-2 (Re-Examination of Regulation) |
The Minister of Science and ICT shall examine the appropriateness of the following matters every two years, counting from each base date specified in the following (referring to the period that ends on the day before the base date of every second year) and shall take necessary measures, such as making improvements: <Amended by Presidential Decree No. 28210, Jul. 26, 2017>
| 1. | Timing of the establishment of measures to protect critical information and communications infrastructure under Article 8: January 1, 2015; |
| 2. | Designation of a chief information security officer and his/her duties under Article 9: January 1, 2015; |
| 3. | Timing of the analysis and evaluation of vulnerabilities under Article 17: January 1, 2015. |
[This Article Newly Inserted by Presidential Decree No. 25840, Dec. 9, 2014]
| Article 25 (Guidelines for Imposition of Administrative Fines) |
The guidelines for the imposition of an administrative fine under Article 30 (1) of the Act shall be as specified in attached Table 3. [This Article Wholly Amended by Presidential Decree No. 22879, Apr. 6, 2011]
ADDENDA
| (1) | (Enforcement Date) This Decree shall enter into force on the date of its promulgation. |
| (2) | (Exceptions concerning Schedules for Preparation, etc. of Plan of the Year 2002 for Protecting Critical Information and Communications Infrastructure) Matters concerning the schedules for the notification of the preparation guidelines for the plan of the year 2002 for protecting critical information and communications infrastructure, the submission of the plan to the Committee, and determination by the Committee in accordance with Article 6 of the Act shall be determined by the Minister of Information and Communication notwithstanding the provisions of Article 10. |
ADDENDA <Presidential Decree No. 18006, Jun. 23, 2003>
| (1) | (Enforcement Date) This Decree shall enter into force on the date of its promulgation. |
ADDENDUM <Presidential Decree No. 18312, Mar. 17, 2004>
This Decree shall enter into force on the date of its promulgation.
ADDENDA <Presidential Decree No. 18594, Dec. 3, 2004>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 19513, Jun. 12, 2006>
Article 1 (Enforcement Date)
This Decree shall enter into force on July 1, 2006.
Articles 2 through 4 Omitted.
ADDENDA <Presidential Decree No. 20741, Feb. 29, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 21214, Dec. 31, 2008>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation. (Proviso Omitted.)
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 21692, Aug. 18, 2009>
Article 1 (Enforcement Date)
This Decree shall enter into force on August 23, 2009.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 22879, Apr. 6, 2011>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Article 2 (Transitional Measures concerning Administrative Fines)
| (1) | When the guidelines for imposition of an administrative fine apply to an offense committed before this Decree enters into force, the previous provisions shall apply, notwithstanding the amended provisions of attached Table 3. |
| (2) | Any disposition to impose an administrative fine on a violation occurred before this Decree enters into force shall not be considered when calculating the frequency of violations pursuant to the amended provisions of attached Table 3. |
ADDENDA <Presidential Decree No. 23806, May 23, 2012>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That, the amended provisions of Article 17 (2) shall enter into force on January 1, 2013. Article 2 (Transitional Measures concerning Revised Cycle of Analysis and Evaluation of Vulnerabilities)
The head of a management agency that has conducted the analysis and evaluation of vulnerabilities under the previous provisions of Article 17 (2) before January 1, 2013, shall conduct the first analysis and evaluation of vulnerabilities under the amended provisions of Article 17 (2) from January 1, 2013, to December 31, 2013, notwithstanding a period in which the analysis and evaluation of vulnerabilities shall be conducted.
ADDENDA <Presidential Decree No. 24425, Mar. 23, 2013>
Article 1 (Enforcement Date)
From among Presidential Decrees amended under Article 6 of this Addenda, amended parts of Presidential Decrees already promulgated but not yet enforced before this decree enters into force, shall enter into force on the enforcement dates of the relevant Presidential Decrees.
Articles 2 through 6 Omitted.
ADDENDA <Presidential Decree No. 25751, Nov. 19, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation: Provided, That any amendments to the Presidential Decrees which were promulgated before the enforcement of this Decree, but the dates on which they enter into force have not yet arrived, from among the Decrees amended by Article 5 of the Addenda, shall enter into force on their respective enforcement dates.
Articles 2 through 5 Omitted.
ADDENDA <Presidential Decree No. 25840, Dec. 9, 2014>
Article 1 (Enforcement Date)
This Decree shall enter into force on January 1, 2015.
Articles 2 through 16 Omitted.
ADDENDA <Presidential Decree No. 26728, Dec. 22, 2015>
Article 1 (Enforcement Date)
This Decree shall enter into force on December 23, 2015.
Articles 2 and 3 Omitted.
ADDENDA <Presidential Decree No. 28210, Jul. 26, 2017>
Article 1 (Enforcement Date)
This Decree shall enter into force on the date of its promulgation.
Articles 2 through 6 Omitted.