The Ministry of Science and Technology and Information and Communication announced on the 7th the main contents of the information protection system and support projects that are changing in the new year, such as ▲ Expansion of ICT SMEs’ information protection safety net ▲ Alleviating the burden of evaluation and certification of information security products ▲ New establishment of simple information security management system (ISMS) authentication
■Information security consulting support SMEs 300→600
The government expanded the target companies for the’Information Protection Consulting and Security Product Introduction Support’ project from 300 to 600 so that ICT SMEs can receive support such as ransomware prevention solutions, and the amount of support increased from 10 million won to 15 million won per company. Zoom in.
For small and medium-sized businesses that cannot operate security products due to the lack of dedicated personnel in charge of information protection, new support will be provided for up to 5 million won for the use of cloud security services to 670 locations. The cloud security service can be provided with security measures such as email security and malicious code detection in real time on a monthly subscription basis.
■5G service security technology demonstration center operation started
5G core services closely related to people’s lives, such as smart factories, autonomous vehicles, smart cities, digital healthcare, and realistic content, are in the spotlight. On the other hand, even though countermeasures and prevention of security threats by sector are required, tools and spaces to demonstrate the safety of related security products are insufficient.
Accordingly, the government is operating the’Convergence Security Living Lab’ in 5 regions nationwide, which can verify security technology and test the security of devices and platforms in collaboration with related organizations at the site where convergence service devices are integrated.
The Smart Factory is the Ansan Smart Manufacturing Innovation Center, the Autonomous Vehicle is the Gunsan Automobile Convergence Technology Institute, the Smart City is the Busan Centum Technology Startup Town, the Digital Health Care is the Wonju Medical Device Tech Novelli, and the Realistic Contents is the Anyang Digital Content Company Growth Support Center. It can be used, and small and medium-sized enterprises can use it for free.
■ Securing’security’ in the SW development stage…Establishment of vulnerability check service
The government determines that SMEs have a lot of difficulty in obtaining safe software (SW) due to lack of security investment, and supports SW security vulnerability checks so that SMEs can apply security from the software development stage.
It plans to support 50 locations from March, and support 350 locations next year and 700 locations in 2023 for a total of 1,100 companies.
The training course for training experts in SW development security will also be operated from May. From June, it is planned to operate the’SW Development Security Diagnosis System’ to support the inspection of SW security vulnerabilities in which vulnerability diagnosis tools and diagnosis experts reside.
■ Fostering AI security companies… Support for product development and export of 20 companies every year
The government heard on-site opinions that the market demand for artificial intelligence (AI)-based security is high, but the security industry feels a burden due to the considerable time and cost of developing AI security technology.
Accordingly, 20 companies that want to develop AI security products and services are selected every year to develop prototypes for the first year, and support them to be completed as commercial products in the next year. We plan to support the developed products so that they can be exported overseas.
Online opening of’Cyber Threat Big Data’…Build 1 billion
The government saw that it is difficult for SMEs and venture companies to enter the market due to the lack of big data information necessary for AI development in the cyber security field. The Korea Internet & Security Agency (KISA) operates a’cyber security big data center, but there is a limitation in that you must visit the big data platform in person.
Accordingly, a plan was made to expand the collection target and scale of security threat information to the non-face-to-face/intelligent information service field to expand about 1 billion big data of threat information by field.
Based on this, it provides an environment for using online cyber threat big data so that it can be used in the verification and research of private security products by building and sharing customized data sets based on demand.
First, after opening the cybersecurity big data center as an online environment in March, it plans to open and share it in December after establishing and verifying the data set.
■Provide’PC security check’ by directly visiting the digitally vulnerable group
With the continuation of Corona 19, online activities such as untact shopping, games, and education have increased. The threat of cyber attacks such as theft of personal information by hacking is also increasing.
Since September of last year, the government has been running the’My PC Caregiver Service’, which provides free remote security checks for all PCs as part of the construction of’K-Cyber Prevention’ among the’Digital New Deal’, which is one of the core axes of the national development strategy. .
Starting from the new year, the company plans to provide services to the digitally vulnerable, especially the elderly and the disabled, who are difficult to practice information protection.
In addition, security inspection targets will be expanded from existing Internet PC-centered security inspection services to IoT devices such as tablet PCs and routers, and the number of security inspection experts will be increased from 54 to 84.
■Relaxation of information security product certification and evaluation standards
In order for a security company to supply information protection products such as vaccines and firewalls to public institutions, it is essential to obtain information protection product evaluation and certification (CC certification). However, start-up companies lack experience and understanding of CC certification and are having difficulty in certification due to complex evaluation items.
In the case of last year, due to the high demand for evaluation, the evaluation stagnation intensified. In addition, when re-authentication, a simple security patch was required to undergo a full re-evaluation, which puts a high corporate burden on CC certification.
To alleviate this burden, the government conducts basic training on the CC certification system centering on startups. The source code self-diagnosis software is also supported free of charge so that companies can voluntarily check for security vulnerabilities.
Currently, the training of evaluators distributed by six CC certification evaluation agencies is integrated, and KISA supports evaluator training in one place. The Korea Information Security Industry Association (KISIA) plans to open and operate an integrated information guide site so that you can see the current status of CC evaluation.
In the case of functional changes due to security patches, it is predicted that the cost compared to the previous evaluation will be reduced to 5 million won, which is a sixth level, and to less than three weeks, which is a 12th level, by replacing the function with a simple confirmation (change approval) instead of re-evaluation. . In addition, the evaluation burden is reduced by extending the validity period of the domestic CC certificate from 3 to 5 years.
■Small and medium business’ISMS-P’ simple authentication
Currently, for information protection and personal information protection management system (ISMS) certification, certification items and evaluation methods are designed for mid-sized companies or higher. Therefore, even if a small and medium-sized enterprise with a certain information protection system wants to be certified, there are difficulties due to the burden of time and cost.
Accordingly, the government has prepared essential elements for information protection management activities suitable for the size of small and small and medium-sized enterprises, and the ISMS-P simple certification system is lightweight so that small and small enterprises can increase voluntary information protection level improvement activities and eliminate blind spots for information security. Is newly established.
With the simplified certification of the standard, the government expected to reduce the cost and time required for certification audit by more than 30%.
■ DaaS security certification enforcement… Support for logical network separation of public institutions
In order to separate the internal network and the Internet network, administrative and public institutions operated separate PCs for administrative work and Internet PCs, resulting in cost and management inefficiencies.
Accordingly, the security certification system has been improved so that public institutions can use a secure virtual PC for the Internet to which the security requirements of public institutions have been applied, without the need for a separate Internet PC.
Starting this month, the government will add and implement a service-type desktop (DaaS) in the areas subject to the existing cloud security certification system. DaaS is a service that provides the operating system (OS) required for desktop implementation and various business applications (apps) in a cloud manner.
■’IoT security authentication’ reorganization… Evaluation based on device characteristics
The government divides the range of IoT devices into eight areas, including home appliances, transportation, finance, smart cities, medical care, manufacturing and production, housing, and telecommunications, to prepare protective measures.
Related Articles
ISMS-P reduces the burden of redundant screening and strengthens follow-up management
Security is also’New Deal’… Full-fledged impact of innovation in data and digital signature legislation
According to the device characteristics of each IoT security certification field,
Hacking gets more sophisticated… When will the’Security Vulnerability Reward System’ be activated?
Specifically, the existing’IoT security certification’ was reorganized into’information and communication network connection device information protection certification’ and will be implemented from the second half of this year. It plans to establish a certification system such as designating a certification testing agency and preparing certification standards and procedures.
Seung-Hyun Son, Information Security Network Policy Officer of the Ministry of Science and ICT, said, “We will carry out active administration, such as discovering and pursuing continuous system improvement, so that the people and companies suffering from the corona crisis can feel the improvement of the information protection policy. .”