Best Practices for Inspecting the Management System of Electronic Financial Infrastructure

Victims of various financial fraud incidents, such as voice phishing, malicious URLs, mobile scams, account and card misuse, internet banking fraud, and ARS authentication scams, are on the rise. Recently, hacking and fraud techniques have become more sophisticated, exploiting vulnerabilities in open banking, simple payment services (Pay), enhanced scam methods, hackers' use of leaked personal information, and the takeover of personal PCs and mobile devices. Financial authorities and various financial institutions do not specifically disclose the procedures of these incidents or the hacking methods used to financial consumers. Having received reports from those around me about the growing misunderstandings among people who have never experienced hacking, I recognized the seriousness of the situation and produced this educational material. I sincerely hope you gain an accurate understanding of hacking, comprehend the relevant laws and policies, and properly establish proactive prevention systems and strengthen response measures. (Under current law, you are responsible for any incidents that occur.)

- Strengthening understanding of inspections based on Privacy Impact Assessment checklist items - Finding and improving errors in personal information flow charts - Identifying and improving personal information breach factors - Understanding Privacy Impact Assessments and finding errors - Understanding Personal Information Protection Act and finding errors

- Public and private sector top-tier information security and personal information protection management system certification audit training in Korea - Preparation for ISMS-P certification strengthening due to comprehensive information security measures establishment - Management system GAP assessment and improvement plan development training - Individual training for ISMS-P initial audit, follow-up audit, and renewal audit - Professional information security training for acquiring excellent information security level enterprise certification

- Specialized training in preparation for Financial Security Institute ISMS-P certification audits - Identifying information security workflows and establishing improvement plans for fintech and electronic financial companies - ISMS-P certification application process following vulnerability analysis and evaluation of electronic financial infrastructure in accordance with the Electronic Financial Supervisory Regulations - Improving incident response and data breach response manuals for financial institutions - Know-how on creating personal information flowcharts and establishing personal credit information management systems, as well as submitting operational performance reports in accordance with the Credit Information Act

With hacking incidents occurring continuously from 2025 to the present, the addition of penetration testing to ISMS-P certification has been finalized. As the work-life balance and importance of penetration testers rise, there is a need for an environment where they can grow. Unlike other fields of information security, penetration testers can only practice and build portfolios when a proper environment is provided. Unlike the first penetration testing environment which simply provided a practice lab, this second environment allows you to build the website yourself, complete with more diverse admin functions and even actual payment features! Penetration testing scenarios for achieving practical goals have been fully implemented! ~Hone your skills according to the 2026 Major Information and Communication Infrastructure penetration testing items and evolve into one of the top penetration testers in the country!~

The recent Coupang personal information leak has been recorded as the largest data breach in South Korea's history, marking an instance where the personal information of virtually every South Korean citizen was compromised. However, the debate regarding the effectiveness of ISMS-P concluded with meaningless improvement measures such as mock hacking and certification revocation. As of December 11, 2025, companies like Coupang—which were subjects of the Personal Information Processing Policy Evaluation System conducted by the Personal Information Protection Commission in 2024—continue to operate in violation of more than 10 criteria of that evaluation system. The reason for this lies in human error involving Coupang's personal information team (comprised of top domestic and international experts) and ISMS-P auditors (who hold the highest domestic and international qualifications). With basic common knowledge of the Personal Information Protection Act, this recent leak, as well as breaches at Gmarket, Netmarble, SKT, KT, and LG U+, could have all been prevented. In reality, accidents continue to occur because customers' personal information is not protected—or appropriate protective measures are not established and operated—due to human issues such as inadequate preliminary inspections and differences in legal interpretation. Through this lecture, you can acquire the skills to evaluate personal information transparently and objectively, with the hope that personal information protection for customers will be achieved through professional training aimed at proper inspection methods and eliminating blind spots.

As customer anxiety grows due to the expansion of personal information leak incidents, companies have been operating management systems that fail to properly identify personal data or implement adequate security measures. These systems have relied on operational frameworks based on ISMS-P/ISO27701 standards (managed by lawyers, etc.) and penetration testing (RED TEAMs, e.g., Coupang) composed of winners from domestic and international hacking competitions. Even companies that have not yet experienced an incident are in a situation where a leak could occur at any time. - The reason is that personal information managers are creating unmanaged blind spots themselves, such as through inadequate methods of obtaining customer consent and insufficient identification of personal information processing statuses. -> Therefore, it is necessary to share information regarding fines and penalties (as of 2024.12.8) related to domestic companies' consent forms and privacy policies. This will improve business operations by enhancing the expertise of personal information managers and ensuring that proper security measures for personal information protection are transparently disclosed to customers.

(No Audio) Since most large corporations and financial institutions are conducting penetration testing in addition to standard mock hacking, there is a recent need to establish new roles and secure capabilities to perform "Red Team" style intrusions. Therefore, beyond simple web and app mock hacking, we have opened a training course where participants can discover scenarios for infiltrating servers and practice large-scale personal information exfiltration. + Provision of server and website environments for penetration testing + Sharing of hacking tools and methodologies

- This project involves installing actual apps on mobile phones and practicing simulated hacking using hacking tools, in accordance with the inspection standards for electronic financial infrastructure and public services. - This course allows you to gain an understanding of mobile app penetration testing, overcome any hesitations, and learn everything from inspection know-how to report writing and communication methods.

- Provision of penetration testing environments and inspection tools - Web penetration testing practice based on the 2026 revised edition for Critical Information and Communication Infrastructure - Web penetration testing practice based on the 2026 revised edition for Electronic Financial Infrastructure - Review and sharing of vulnerabilities existing on websites - Training on penetration testing reporting methods and improvement strategies

- Training on inspection methods aligned with cloud management system inspection items among the vulnerability analysis and evaluation criteria for electronic financial infrastructure - Inspecting the application of protective measures required by the Electronic Financial Supervision Regulations for cloud and virtualization environments, respectively - Organizing the items that must be included in the establishment of cloud security regulations and procedures - Securing evidentiary materials for tasks related to the evaluation and certification of cloud environments

-Learn about the information security continuous assessment items conducted annually for financial companies, and strengthen preparation and response capabilities as a financial security officer -Learn based on the highest-grade information security continuous assessment cases, and receive education on know-how to achieve and maintain the highest grade in information security continuous assessment

- Based on the 2025 Handbook for Personal Information Protection Level Evaluation - Proposing measures to apply personal information best practices from the top 1% of public institutions - Analysis of deduction factors for each quantitative and qualitative indicator - Presenting application cases of synthetic data (PETs: Privacy Enhancing Technologies) to secure scores for new technology (bonus points) indicators - Providing cases of securing safe zones for personal information utilization, manual production, disclosure performance, and CEO reporting cases

- Establishment of incident response manuals and training plans - Introduction of training cases such as penetration testing, DDoS, and APT - Sharing long-term information security strategies (~2027 or ~2030) of leading domestic companies - Introduction of information security activities of leading domestic companies - Education on Risk Management Framework (RMF) and Zero Trust implementation cases for electronic financial companies

- Understanding the establishment and inspection of personal information management systems in accordance with the Personal Information Protection Act - Inspection and status assessment of personal information processing systems - Creation of personal information flow charts and flow diagrams - Identification of personal information breach factors - Publication of personal information impact assessment summaries

- Policy revision for establishing cloud management systems (CSP/MSP contracts and SaaS contracts) - Vulnerability assessment for ISMS-P/ISO27001 certification or major information communication/electronic financial infrastructure response in cloud environments (public/private asset identification and vulnerability remediation) - Security operations and incident response in cloud environments - ISO27017&ISO27018 certification response

Developed to submit annual performance records, including the establishment of information security regulations and the preparation of various activity evidence, by applying domestic and international certification standards for Information Security Management Systems (ISMS) and internal/external audit criteria to the revised Risk Assessment standards for the Management and Physical sectors of Critical Information and Communication Infrastructure in the second half of 2025. The plan is designed to prepare for changes in the external environment (AI, etc.), internal environment (new systems and changes in employees/external staff), and new evaluation indicators and legal amendments. It aims to establish activity plans to advance information security levels compared to the previous year. Specifically, it involves objectively and meticulously inspecting various activities to strengthen accident prevention systems—such as personal information leaks caused by hacking—and establishing plans for the headquarters to supervise all departments and ensure the secure management of contractors. This includes operating DevSecOps systems following the introduction of AI systems and implementing Privacy by Design (PbD) adequacy review frameworks. The execution is based on expanding monitoring and periodic inspection report areas, external disclosure areas, data linkage system inspections (API, MyData, etc.), establishing network separation improvement plans according to N2SF, and advancing Zero Trust implementation. *Possessing over 150 references for establishing and applying the world's first and highest-level information security and personal information protection activities and system enhancement plans.

Transfer of inspection know-how for 2025 Electronic Financial Infrastructure (OS Virtualization, Container Virtualization) and transfer of inspection know-how for Critical Information and Communication Infrastructure (CA, HV) revised in the second half of 2025. In particular, risk assessments will be provided for the latest versions of core hypervisors (ESXi, Xenserver). Additionally, risk assessments for K8S (Kubernetes_master), Docker, etc., will be provided. Finally, vulnerability analysis and evaluation results that meet CSAP (Cloud Security Assurance Program) standards will be provided. **Installation methods for ESXi, Kubernetes master, Docker, and Xencenter provided.

Training for establishing risk assessment methods for network equipment, security devices, and control systems based on the revised Critical Information and Communication Infrastructure standards for the second half of 2025, and eliminating vulnerabilities through the integration of years of know-how and fast, accurate inspections and remedial actions. In particular, we expect efforts to secure inspection speed and improvement plans in accordance with the designation of ISMS-P and ISO27001 certification scopes. Gain experience with network equipment, security devices, and control systems—which are relatively less accessible and more difficult to set up environments for compared to Servers, DBs, WEB, WAS, PCs, and Cloud (Public, Private).

Vulnerability analysis and evaluation for electronic financial infrastructure as of 2025, covering DBMS, WAS (PaaS), and PC based on the revised standards for critical information and communications infrastructure in the second half of 2025. Additionally, penetration testing explained according to the standards revised in the second half of 2025, including mobile penetration testing. Expect skill improvement through the transfer of know-how, along with fast and accurate inspection methods and remediation plans.

- Training on inspection methods aligned with cloud management system inspection items among the vulnerability analysis and evaluation criteria for electronic financial infrastructure - Inspecting the application of protective measures required by the Electronic Financial Supervision Regulations for cloud and virtualization environments, respectively - Organizing the items that must be included in the establishment of cloud security regulations and procedures - Securing evidentiary materials for tasks related to the evaluation and certification of cloud environments

- Public and private sector top-tier information security and personal information protection management system certification audit training in Korea - Preparation for ISMS-P certification strengthening due to comprehensive information security measures establishment - Management system GAP assessment and improvement plan development training - Individual training for ISMS-P initial audit, follow-up audit, and renewal audit - Professional information security training for acquiring excellent information security level enterprise certification

We provide 140 sounds in 5 areas that will help you with the CPPG certification exam. We also provide an introduction to how to use the 111 questions that are automatically generated each time, and a one-time lecture and explanation.

You can effectively study the contents of the Information Security Engineer practical exam questions and obtain the Information Security Engineer practical qualification.

This lecture is designed to prepare for the Information Security Engineer written exam, and it will help you concisely summarize the core theories and strengthen your practical skills through problem solving. Take a step closer to obtaining the Information Security Engineer certification with analysis of past questions and practical preparation strategies.

Nationally Certified Industrial Security Manager: "Final update of the newly renewed version is complete"!! The 2026 exam schedule is expected to be announced between February and March on the following site (https://license.kaits.or.kr/license/web/board/brdList.do?menu_cd=000021). This course is designed to help you obtain the Nationally Certified Industrial Security Manager certification by providing a systematic understanding of industrial security from a management perspective. Rather than focusing on rote memorization, the content systematically organizes the concepts, structures, and flows of industrial security so that even non-security majors can understand it, preparing you for the exam while also supporting practical work and career expansion.

This course puts an end to Linux server operational vulnerabilities caused by incorrect permissions. Master file and directory permission control based on real-world industry standards.

This course carefully selects the core systems that beginners must know in the vast field of information security. Instead of rigid theory, it's structured to help you intuitively understand system principles through clear analogies and practical examples. With this single course, you can grasp the big picture of information security systems as a whole and develop practical skills.

This is an online course where you can learn essential content for certification, from basic concepts of information security to the latest security issues. With theory reflecting the latest exam trends and practical mock tests, you can efficiently prepare for the exam, and it's structured so that even those new to information security can easily follow along.

This course systematically teaches practical Docker skills (installation→operation→automation→security) and comprehensively covers the latest security threats and countermeasures in each section. It features a hands-on approach where you learn by following along with practical exercises. This curriculum is highly recommended for DevOps engineers, infrastructure engineers, and security practitioners who want to experience the latest container/cloud environments in real-world scenarios.

You can understand the concept and technology of blockchain and conduct ISMS-P certification audits specialized for virtual asset exchanges.