Protection Profile of Personal Information Security System: Designing a Secure Personal Information Security System

As cyber-crimes using personal information such as ID theft are increasing, there is a need for appropriate technology or law to protect privacy. To this end, the Korean Government established the Privacy Act on March 29th 2011. The Privacy Act prescribes a specification for dealing with privacy with the intention to protect personal information from being collected, leaked, misused, or abused so that it can improve rights and interests of the nation and eventually realize the dignity and value of man. The United States, Japan, Canada, and several countries of the EU have their own privacy law being established or revised. Although there must be differences depending on the circumstances of each country, the ultimate goal of the privacy law should be the same. Consequently, there might be the same or similar technical protection required by all these countries. Between the increasing interest in protecting personal information and the establishment of the Privacy Act, many industries are having relevant products released one after another. Customers without knowledge of the law and the product types cannot decide what they need. This paper intends to derive necessary security functions of a personal information security system based on the Common Criteria and analyze the limit of the products in order to make guidelines for privacy and information protection system.