On February 6, 2024, the Ministry of Science and ICT (the “MSIT”) announced a proposal to partially amend its Notification on the Cloud Security Assurance Program (the “CSAP”). This proposed amendment is a follow-up to the CSAP grading introduced in January 2023, which classified the information systems of Government organizations into three grades depending on their importance (i.e., high, medium and low) and imposed a differing level of security requirements for each grade level (the high grade requiring the strictest level of security measures). The proposed amendment sets forth a detailed CSAP grade evaluation system for high and medium grades and further clarifies the current medium and low grades. 

Notably, the proposed amendment aims to strengthen the standards for security certification which could have an implication on companies’ ability to comply with the new requirements. Accordingly, it is advisable for companies that plan to obtain the CSAP certification to review the new CSAP grade evaluation system in advance to ensure that their businesses are not adversely affected.

The proposed amendment will be the first step in the formal implementation of the CSAP grading system. The MSIT also shared its commitment to enhance the existing system to resolve some of the practical difficulties encountered in the process of obtaining cloud security certifications. We elaborate below.
 

• 14.2.1. Separation of Physical Location and Area: Specify “management consoles" as one of the physical resources subject to area separation. 

• 14.3.4. System Isolation: Add the following requirement for system isolations: “Internet access must be blocked during the management and operation of critical access terminals connected to Government cloud servers in order to minimize security threats.”
   

For the “high grade,” the proposed amendment seeks to add four new evaluation items on top of the “medium grade” evaluation items.
 

• 14.1.5. Management of Security Audit Logs and Strengthened Measures for Abnormal Use Detection: Integrated management of all security-related logs in the system and implementation of automated system for detection of abnormal use.

• 14.3.6. External Network Blocking: Implementation of security management measures for internal networks to restrict access from external networks.

• 14.3.7. Management of Account and Access Permissions: Automation of the management functions for the provision of cloud services, such as creating and changing accounts, access permissions, etc.

• 14.3.8. Management of Security Patches: Implementation of an automated check-up of whether security patch updates for information assets are necessary on a periodic (monthly) basis.
   

In a related press release, the MSIT announced that it would (i) allow external agencies to conduct vulnerability assessments, and (ii) enhance the evaluation process to eliminate duplicative evaluation items when assessing multiple security certifications for a single service. Companies may consider submitting an opinion on the proposed amendment during the administrative notice period, which was set to end on February 26, 2024.

[Korean Version]