30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.samsungSAMSUNG SDS CO., LTDyesnic.comView

1. KISAʹs Role
SAMSUNG SDS entrusts system operation of dot SAMSUNG(“.SAMSUNG”) to Korea Internet & Security Agency(ʺKISAʺ). SAMSUNG SDS follows KISAʹs security policy as the following:

KISAʹs main role is to plan Internet Policy, manage Internet address, operate CERT(Computer Emergency Response Task), protect information infrastructures, support information security(privacy⁄user), support International cooperation and promote business industry. KISAʹs Internet Resource Management Center(“Main Center”), which supports Internet address management, is managing the Internet policies regarding Korean ccTLD.

As one of the government agencies, the main of KISAʹs Internet address managing task is to develop and promote the Internet address resources and to build safe and secure infrastructures for the domestic and foreign Internet users as well as informationization of national society.
Since KISAʹs role in Internet address managing has national importance, it is designated as the Critical Information Infrastructure(CII). It is stated in the Information and Communication Infrastructure protection law article 5 to have the information level analyzed annually and also prepare protection plans through the regular auditing. The Critical Information Infrastructures are infrastructures with significant impact on national, economic and social society. To prevent the infrastructure from the physical and electronic attacks, CIIs have to analyze vulnerabilities and also establish protective measures to prove the information security level.

2. Information Infrastructure Protection Management Plan
Ever since the Internet address management system was designated as the Information Communication Infrastructure facility under the Communication Infrastructure protection law at year 2002, it is being operated systematically. To improve the security level of the nationally important infrastructures, areas such as finance, communication, national defense, and etc., the government is managing security by designating them as the Information Infrastructure. To increase the security level and to protect the assets, they achieved ISO-27001 certificate at 2006 and had maintained it for three years.

The current organization of KISA was established at 2009 by the national policy, (three organization, NIDA, KISA, KIICA, have combined into an agency), to activate the Internet business industry, enhance information infrastructure security level, and support the International cooperation. The former KISA was an agency to develop and activate information policy for private and public sector, operate KISC(Korea Internet Security Center) CERT, and authenticate Information Security Management System(ISMS). By developing and auditing Korean form of ISO-27001, they have performed the authentication of Korean-ISMS, PIMS, G-ISMS ever since the act became valid at year 2002.

KISA ISMS authentication status - 2012. Feb.
- KISMS(Korea Information Security Management System) 131 cases(2002-2012)
- PIMS(Personal Information Security Management System) 12 cases (2010-2012)
- GISMS(Government- Information Security Management System) - 36 cases(2010-2012)

These activities of managing Information Infrastructure is controlled by the Ministry Of Public Administration and Security(“MOPAS”), which is the control tower of the public Information Infrastructures. By following the National Information Security(“NIS”) polices, public office security policies and etc. MOPAS analyzes the national critical facilitiesʹ security plans and counter measures annually and by reviewing the validity with the NIS, gives the feedbacks to adopt the security plans.
To develop counter measures for the CII, it is stated under the act that only the reliable third party, designated as the Information Security Consulting Service Provider (ISCSP), is able to analyze and evaluate the vulnerabilities.

3. Information Communication Infrastructure Protection Law (ICIP law)
KISA evaluates and analyzes the important infrastructures designated under the Information communication Infrastructure Protection Law. This task is also stated in the law (ICIP law), and this evaluation must take place once a year.
Under Information Infrastructure Protection Act Article 9 (analysis and evaluation of the vulnerability)
1) The head of agency as prescribed by the Presidential Decree jurisdiction should regularly communicate critical information on infrastructure vulnerability analysis and be assessed.
2) The head of management agency under paragraph (1) assesses the vulnerability analysis, as prescribed by the Presidential Decree, if the vulnerability analysis and evaluation task force should be.
3) The head of management agency under paragraph (1)
If one wants vulnerability analysis and assessment of the following cases in the jurisdiction of the agencyʹs major information and communication infrastructure, they can be made. However, in the case under the provisions of paragraph (2) may be closed to the task force. 〈Revised by Act 12⁄18⁄2002, 12⁄21⁄2007, 05⁄22⁄2009〉

When former KISA was performing such certification and evaluation activities under the ICIP law, the united KISA has come to conclusion that KISA no longer needs to follow the ISO-27001 certification.( KISA was already under the law to perform Korean version of ISO-27001, such as K-ISMS, G-ISMS, PIMS and etc, and the certification object, the former NIDA, has become one organization) Since KISA is also has certification authority of its own, KISA stopped following the certification for the independence and fairness. However, since the organization is very important by the ICIP law, it is to be monitored and examine information security level to follow the appropriate security level Korean ISMS is requiring.

4. Information Communication Infrastructure Protection Control Lists
KISAʹs Internet address resource management center(“Main Center”), as an important infrastructure, is evaluated based on the ʺKISAʹs information security level examination methodsʺ in management security, physical security, technical security and other information security activities.
To examine the information security level, 12 areas, 54 control lists and 81 specific control lists were researched and developed from the ISO-27001 standard, NISʹs national information security regulation, Information Communication Infrastructure protection regulation.
This evaluation based on information and communication based on knowledge and information protection laws consulting companies (7 companies by Jun, 2012) can be performed.
This specialized vendors capital, expertise, personnel performing, technical skills, history of work performed by considering the vulnerability analysis assessment mission to private contractors a reasonable target was specified by government agencies.

Here are the 12 areas of Important Information Communication Infrastructure.
1) Information Security Policy
- Whether the documentation of information security duties in policy and procedures is properly done and followed as stated
2) Risk Analysis
- Whether the documentation of identifying the resourceʹs risks and planning the protection measures to prevent the information resources and the systems is properly done and followed as stated
3) Configuration Management
- IT configuration elements(procedure of software version and patch upgrades, hardware technical documents) must be properly managed and the procedure and policy must be prepared for configuration changes and must also be followed.
4) Maintenance
- the policy and procedure of the maintenance must be followed during the environmental disasters or illegal accesses, the device suppliers must perform proper repair within the time stated in the contract and only authorized employees can perform the maintenance.
5) Media Protection
- to protect the unauthorized flow out or misuse of media, the procedures and policy must be made and be operated as stated, and the operation procedures for the information stored devices and print outs must be prepared.
6) Security Awareness training
- including the CEOʹs security awareness, the information system(H⁄W, S⁄W, data management and etc. ) proper usage and other security requirements, legal authority, access control and other security issues must be trained regularly.
7) Contingency Plan
- for the variety of disasters and emergency cases, the important system‘s fusibility and reliance must be maintained. The procedures and policies must be stated and documented and also the systems must be operated as stated.
8) Physical and Environmental Security
- examines the location of important facilities and resources, and access control methods. Also evaluates the appropriate protective measures for the physical barrier and entrance control and limitation of the approach from the unauthorized ones.
9) Personnel Security
- The policy and procedures stating that the organization members and the third party that operates the information systems must be screened from the mistake, fraud, robbery, misuse.
10) Incident Response
- for the efficient and fast recovery from the hacking and virus attacks or physical attacks, the plans and procedures must be prepared depending on the areas, configuration system, duty or role definitions. This must documented and followed as stated.
11) Audit and Accountability
- All the records of who, what, how, when on which devices or services and the result of the access(pass or fail) must be audited.
12) System Access Control and Communication Protection
- Whenever developing, upgrading and doing other tasks accessing information systems, security requirements must be followed. And also to protect the data and S⁄W loss, faulty changes, misuses, the safety of the task must be always secured. The applications, service supporting process must be considered as important system and the security requirements appliance must be always reported.

5. Information Communication Infrastructure Protection Lawʹs Information Security Level Evaluation
- Internet address management centerʹs information security level must be annually audited with the Information Communication Infrastructure Information Protection level standards formed with 12 areas and 81 specific access control lists.

Table [30-1] Information Security Level Evaluation List

Information Security level was developed to evaluate the systematic structure of information systems in quantity and quality level and then it is divided into 5-levels of maturity levels. Address resource center(“Main Center”) received 83 point(year 2010: 68.2 point) for the level evaluation and 3rd level(3.67) in maturity level, which is a relatively high level compared to year 2010ʹs 3.50 level.
Important thing is that the evaluation method of maturity level is very negative. The total point in evaluation is the average of all the control lists. But, for the maturity level, it is decided by the lowest control list. This method came from an idea that the most vulnerable control list will eventually be the most threat to the system, and so by improving the weakest point in security will give the most effective way to protect the system.

Figure [30-1] Results of Information Security Level Evaluation

The meaning of maturity level 3, which KISAʹs internet address resource management center(“Main center”) received, is that KISA is properly following the Information Security level evaluation control lists and operating well with its documents and policies.
Also, this evaluation system does not look at the current situation, and level over 3 is given when improvement through task repetition that happened over at least three years can be proved. Considering that KISA was established as a new institution at year 2009, the maturity level received at year 2011 has its meanings.

Internet address management Center has several security regulations of its own and each regulation has its own specific procedures.

Table [30-2] Security regulations

Similar gTLD applications: (2)

gTLDFull Legal NameE-mail suffixzDetail
.삼성SAMSUNG SDS CO., LTDyesnic.com-4.03Compare
.doosanDoosan Corporationyesnic.com-3.97Compare