|
Relevant Provision
|
Key Details
|
|
Definitions
(Article 2)
|
|
–
|
Internal business systems, like groupware that handle employee data, qualify as such systems if they process employees’ team, number, name and contact information.
|
-
Sharing settings include allowing access to resources through remote access, such as remote desktop connections.
-
Companies must implement standards to ensure the security of personal information when managing and operating a system for personnel management of employees.
|
|
Establishment, Implementation, and Inspection of Internal Management Plan
(Article 4)
|
-
Internal management plan must encompass all aspects of technical, managerial and physical security measures as outlined in the Standards for Measures to Ensure the Security of Personal Information. It must also address the qualifications and appointment of the Chief Privacy Officer.
-
Within the “matters related to risk analysis and management” required in an internal management plan, risk analysis involves “evaluating the degree of risk, such as the likelihood of data breaches, including loss, theft, leakage, forgery, alteration, or damage, and the resulting impact on the data subject, depending on the method of processing and type of personal information.” The methods and procedures for analyzing and managing personal information risk can be independently developed, taking into account the data controller’s unique characteristics and circumstances.
-
Training on personal information protection should be tailored to the position and role of the Chief Privacy Officer and personal information handlers, considering their specific duties and work proficiency. In addition to technical training relevant to their tasks, the training must cover essential topics such as privacy laws and internal management plan.
|
|
Management of Access Rights
(Article 5)
|
-
In cases where issuing individual accounts is not feasible, such as with root accounts, alternative administrative or technical controls must be implemented. These may include account management logs and access control systems to identify individuals who accessed the personal information processing system.
-
Various authentication methods can be used for personal information handlers and data subjects, including SMS authentication, telephone authentication, and social login, alongside traditional methods, like password authentication, One-Time Password (“OTP”) authentication and biometric authentication.
-
If a user fails to authenticate after a set number of attempts, measures such as temporarily locking the account or delaying further authentication attempts may be applied to restrict access to the personal information processing system. Additionally, CAPTCHA can be used as a supplemental tool to prevent automated bot access.
|
|
Access Control
(Article 6)
|
-
The use of fixed IP addresses or MAC addresses on personal information handlers’ devices is not considered a secure method of authentication.
-
Credential stuffing attacks and similar incidents are identified as a type of personal information leakage or exposure that occurs through websites and internet portals.
-
Examples of measures to prevent the leakage or exposure of personal information include implementing CAPTCHA when there is an increase in login attempts, setting and monitoring thresholds for login failure rates, and using methods, such as SMS or email, to verify the legitimacy of users when they log in to a page with personal information.
-
Vulnerability inspections must address issues like identification and authentication failures, as well as vulnerabilities, such as server-side request forgery.
-
The “idle session timeout” for systems should generally be limited to between ten to 60 minutes.
-
When personal information is processed for business purposes using a company’s business app on a personal smartphone or tablet, or when accessing the company’s email server, such devices fall under mobile devices requiring appropriate security measures.
|
|
Encryption of Personal Information
(Article 7)
|
|
|
Security Measures for Printing and Copying
(Article 12)
|
|
–
|
Prevent a “like” search for personal information, unless it is necessary for business.
|
|
–
|
Ensure searches are conducted with specific criteria or require two or more search terms to avoid unnecessary or excessive searches for personal information.
|
|
–
|
Restrict the display of information based on consistent standards as personal information handlers could compile complete sets of data if personal information is masked differently across various systems.
|
-
Security solutions can be implanted to protect printed and copied personal information, especially when using external storage devices. Solutions may include document rights management (“DRM”), secure USB drives, data loss prevention (“DLP”) tools and media control systems.
|
