【 Weak current College 】 information security level protection management---Power By 【 China power house network 】

Chapter 1 General provisions

First to standardize the level of protection and management of information security, improve information security skills and level of maintenance of national security, social stability and the public interest, protect and promote informatization under the People's Republic of China computer information system security protection Ordinance and other relevant laws and regulations.

The State, through the development of unified information security level protection management norms and standards, organizations, citizens, legal persons and other organizations on information system security protection rating, the rating protection implementation oversight, management.

Article 3, a public security organ responsible for the information security level protection supervision, inspection and guidance. State security work departments responsible for the level of protection for confidential work of supervision, inspection and guidance. National password management Department is responsible for the level of protection for passwords work supervision, inspection and guidance. Involve other functional jurisdiction matters, by the relevant functional requirements in accordance with national laws and regulations. The State Council informatization Office of leading group for the local information offices responsible for the level of protection of the work of the interdepartmental coordination.

Article 4 the competent authorities of information systems shall be in accordance with the procedures and related standards, supervision, inspection, guidance to industry, this sector or regional information system operational, using the Organization's information security protection.

5 information system operation, use the unit should follow the procedures and relevant standards, compliance information security level protection obligations and responsibilities.

Chapter II classification and protection

The State information security level protection independent grading, autonomous protection principles. Information system security levels should be based on the information system on national security, economy, social life, the importance of the destruction of the information system on national security, public order, public interest and citizens, legal persons and other organizations of the legal rights of damage and other factors.

7 information system security protection level is divided into the following five categories:

The first level, the information system is damaged, the citizens, legal persons and other organizations ' legitimate rights and interests, but without prejudice to national security, public order and public interests.

The second level, the information system is damaged, the citizens, legal persons and other organizations have serious prejudice to the legitimate rights and interests, or to the social order and the public interest, but without prejudice to national security.

The third level, the information system is damaged, the social order and cause serious damage to public interests, or cause harm to national security.

The fourth level, the information system is damaged, the social order and the public interest cause exceptionally grave damage or cause serious harm to national security.

The fifth grade, and destruction of information systems, on national security cause exceptionally grave damage.

8 information system operational, using the units pursuant to this approach and the related technical standards on information system for protection, the national regulatory authorities on information security on its information security level protection supervision.

First-level information system operation, use the unit should be based on State management specification and technical standards for protection.

The second level information system operation, use the unit should be based on State management specification and technical standards for protection. National information security authorities on that level information system information security level protection for guidance.

Third-level information system operation, use the unit should be based on State management specification and technical standards for protection. National information security authorities on that level information system information security level protection to supervise and inspect the work.

Fourth-level information system operation, use the unit should be based on State management specification, technical standards and operational specialized needs for protection. National information security authorities on that level information system information security level protection mandatory supervision and inspection.

Fifth-level information system operation, use the unit should be based on the State management specification, technical standards and operational requirements for special security. Country specific information for that level system information security level protection for specialized supervision and inspection.

Chapter III grade protection implementation and management of

Article 9 information system operational, using the units shall, in accordance with the information system security level protection implementation guide specific implementation level protection.

Article 10 information system operation, use the unit should be based on this approach and the information systems security level protection grading guide to determine the information system security level. Have the authority, should be approved by the competent authorities.

Across provincial or national networking running information system by the competent departments to determine the security protection level.

To be identified as the fourth-level information systems, operations, use the units or departments shall contact the national information security protection level expert panel of judges.

Article 11 information system security levels determine the operation, use the units shall in accordance with the national information security level protection management norms and standards, use comply with the relevant national regulations to meet the information systems security protection level requirements of information technology products, information system security construction or remodeling work.

Article 12 in the information system construction, operation, use the units shall follow the computer information system security classification guidelines (GB17859-1999), the information system security levels for the protection of fundamental requirements, such as technical standards, the references to the information security technology for information systems General safety requirements (GB/T20271-2006), the information security technology network infrastructure securityTechnical requirements (GB/T20270-2006), the information security technology operating system security requirements (GB/T20272-2006), the information security technology database management system security requirements (GB/T20273-2006), the information security technology Server technical requirements "," information security technology Terminal computer system security level technical requirements "(GA/T671-2006), and other technical standards for construction with this level of synchronization requirements of information security facilities.

13 operations, using the units shall refer to the information security technology for information systems security management requirements (GB/T20269-2006), the information security technology for information systems security engineering management requirements (GB/T20282-2006), the information system security levels for the protection of fundamental requirements, such as management standards, develop and implement the system security level required by the safety management system.

Article 14-information system construction is completed, the operation, use the units or departments shall select the method of evaluating the conditions prescribed, pursuant to the information system security level protection evaluation requirements, technical standards, the regular information system security levels in developing grade test. Third-level information system should at least conduct a rating evaluation, fourth-level information system should be per year for at least one level of evaluation, the fifth-level information system should be based on specific safety requirements for level measurement.

Information system operational, using the units and departments shall regularly on information system security, security systems and measures for their implementation. Third-level information system should at least conduct a self audit, the fourth-level information system should be carried out at least every six months a self-inspection, level 5 information system should be based on specific safety needs of self-examination.

The evaluation or introspection, information system security does not meet the requirements of the security protection level, operations, use the unit should develop programmes for rectification.

Article 15 has operation (run) of the second level above information system, it should be determined in the security protection level, within 30 days from its operation, use the unit to the seat of the District of the city-level and above the public security organs filing procedures.

New second level above information system shall be put into operation within 30 days from its operation, use the unit to the seat of the District of the city-level and above the public security organs filing procedures.

Under the Central Government in Beijing, the provinces or the national network run by the Department in charge of the unified classification of information system, by the competent authorities to the Ministry of public security filing procedures. Across provincial or national networking running information system in parts of the application running, and should be the branch system to the local districts of the city-level and above the public security organs record.

16 for information system security protection level ISS, should fill in the information system security level protection record table ", a third-level information system should also provide the following materials:

(A) the system topology and instructions;

(2) system security organization and management systems;

(3) system security design and implementation of the programme or facility into implementation of the programme;

(4) the system uses information security products and their certification, sales license;

(5) assessment of compliance system security protection level of the technical inspection report;

(6) information system security protection level expert review comments;

(7) the competent authorities of the approved information system security protection level.

17 information system for the record, the public security organs shall record the information systems audit, carried out in compliance with the level of protection required, you should receive a filing date of the material within 10 working days of the issuance of information system security level protection record proof; found inconsistent with this approach and related standards, you should receive a filing date of the material within 10 working days of the notification record units corrected; find the classification prohibited, should receive a filing date of the material within 10 working days of the notification record unit reconsideration determination.

Operations, use the units or departments of redefining information system level, you should follow this procedure again to the public record.

Article 18 the admissibility of the public security organs shall record on the third-, fourth-level information system operational, using the Organization's information security level protection work. On the third-level information system at least once, on the fourth-level information system at least every six years. On cross-provincial or national networking running information system checks should be carried out in conjunction with the competent authorities.

On the fifth level information system shall be specified by national specialized departments.

Public security organs, specialized departments designated by the State should be checked on the following matters:

(A) whether the information system security requirements change, the protection level is accurate;

(Ii) operations, the use of units of a safety management system, the implementation of measures;

(3) the operation, use the units and the competent authorities on information system security checks;

(4) evaluation system security level complies with the requirements;

(5) information security product use is consistent with the requirements;

(6) the rectification of the information system security;

(VII) for filing materials and operations, the use of units, information system of compliance;

(8) other supervision and inspection should be carried out.

Article 19 information system operations, units should accept public security organs, specialized departments designated by the State of safety supervision, inspection, meansImport, truthfully to the public security organs, specialized departments designated by the State to provide the following information about the security of information and data files:

(A) a change in the information system for the record;

(B) the security organization, personnel changes;

(3) information security management system, measures changes;

(4) information system health records;

(5) the operation, use the units and departments of the periodic information system security inspection records;

(6) on information system level evaluation of the technical evaluation report;

(VII) information security products used by the change;

(8) information security emergency, emergency handling information security incidents; the result report

(9) information systems security building, corrective results report.

Article 20 police checks found information system security protection status do not meet the level of protection for information security management standards and technical standards, to be operational, using the units issued rectification notices. Operations, use the unit should be rectified notification requirements, in accordance with the regulations and technical standards for rectification. Upon completion of the rectification shall be rectified and report to the public record. When necessary, the public security organs can check for rectification organization.

Article 21, paragraph III above information systems should choose the use of information security products:

(A) product development, production units is made up of Chinese citizens, legal persons, investment or investment or holdings of the State, in the territory with an independent People's Republic of China's legal personality;

(B) the product's core technology, the key part has China's independent intellectual property rights;

(3) product development, production units and their main business, technical, personnel have no criminal record;

(4) product development, production unit declaration does not intentionally leave or set up a vulnerability, backdoor, Trojan horses, and other programs and features;

(5) on national security, public order, public interest does not constitute a hazard;

(6) has been included in the information security product directory, it shall obtain information security product certification authority's certificate.

Article 22, paragraph III above information system should choose any level of protection testing structures evaluation:

(A) was established in the territory of the People's Republic of China (except Hong Kong and Macao regions);

(Ii) by the Chinese national investment, China corporate investment or national investment enterprises (HK);

(3) in the related testing assessment work for more than two years, no illegal record;

(Iv) staff is limited to Chinese citizens;

(5) legal persons and major business and technical staff have no criminal record;

(6) the use of technical equipment and facilities shall comply with the requirements of these approaches to information security requirements;

(7) has a comprehensive privacy management, project management, quality management, personnel management and training, education, and safety management system;

(8) on national security, public order, public interest, not a threat.

Article 23 in the information system security levels, the evaluation of the Agency shall fulfil the following obligations:

(A) comply with relevant national laws and regulations and technical standards, to provide safe, objective and impartial evaluation service, guarantee the quality and effectiveness of the evaluation;

(Ii) in the evaluation of activities to keep aware of State secrets, trade secrets, and personal privacy, protect against the risk assessment;

(3) on the evaluation of personnel security education, instead of signing responsibility to provide security shall fulfil the security and confidentiality obligation and liability, and are responsible for checking implementation.

Chapter IV relating to the national secret information system

Rating protection management

Article 24 information system should be covered by the national information security level protection of essential requirements, in accordance with the State security work sector-related crypto information systems management of hierarchical protection and technical standards, combining the actual conditions to protect the system.

Non-confidential information system shall not deal with the State secret information.

Article 25 secret information system in accordance with the information of the highest categories, from low to high into a secret, secret, top secret three levels.

Secret information system using units shall in the specification for the set of information, based on the classification of confidential information protection management system and the national privacy standard BMB17-2006 related to State secrets of the computer information system rating protection technology requirements determine the system level. To include multiple security domains of secret information system, the security domain can determine the protection level.

Confidential work departments and agencies should supervise and instruct secret information system using units accurately, reasonably systematic classification.

26 crypto information system using units shall be secret information system placement and construction used to report business departments of confidential work and is responsible for the system of confidential work departments and approval of the record, and accept the privacy sector supervision, inspection and guidance.

Article 27 the secret information system using units should choose intensive involved with into qualification units or involvement in crypto information system design and implementation.

Secret information system using units should be based on confidential information system rating protection management norms and standards, in accordance with the secret, secret, top secret levels, with different requirementsSystem design of the actual programme, implementation of the classification level of protection, the protection is not lower than General country information security level to protect third-, fourth-, fifth-grade level.

Article 28 the use of secret information system for information security products in principle should be introduced, and should be chosen via the protection of State secrets authorized testing agency pursuant to the relevant national security standards for testing, inspection of products from the Director of audit publishing directory.

Article 29 secret information system using the unit after the end of the project implementation, shall be confidential work departments, by State secrets and evaluation bodies authorized by the system according to the State secret standard BMB22-2007 related to State secrets of the computer information system rating protection evaluation guide, secret information system security assessment.

Secret information system using a unit in the system before go-live, should follow the information related to State secret and approving regulations on the management of the system, the District of city-level and above security work for the systematic examination and approval, secret information system to be approved before it can be put into use. It has been put into use of secret information system, the construction of the units in accordance with rating protection requirements to complete the system reform, should provide the confidential work sector record.

Article 30 secret information system using a unit in the application system approval or for the record, shall submit the following materials:

(A) the system design, implementation and review of the justification;

(Ii) systems contractor qualification materials;

(3) system construction and project management report;

(4) system security test and evaluation reports;

(5) the system security organization and management system;

(Vi) any other relevant material.

Article 31 a secret information secret level, the connection range, environmental facilities, main applications, security management responsibilities change units, the construction of the units shall be submitted for approval of confidential work sector report. Confidential work sector should be based on the actual situation and decide whether to reopen evaluation and approval.

Article 32 information system construction of crypto use units should be based on the State secret standard BMB20-2007 the information related to State secret protection management system grading, strengthening the code of secret information system security management in the operation of the risk assessment carried out regularly, to eliminate the dangers and vulnerabilities.

Article 33 national and local levels of confidential work sector to all regions and departments secret information system rating protection implementation monitoring and management, and do the following:

(A) the direction, supervision and inspection rating protection work;

(Ii) guide the secret information system construction set using units specification information, reasonable determination of system protection level;

(3) involvement in crypto information system rating protection programme feasibility studies, guiding construction units to secure facilities planning and design of synchronization;

(4) in accordance with the law on crypto SI units carry out supervision and management;

(5) a system of evaluation and stringent vetting, supervision and inspection of secret information system using flat rating protection management system and implementation of technical measures;

(Vi) enhanced crypto information system operational secrecy supervision and inspection. Secret level, confidential level information system at least every two years to conduct a privacy check or system evaluation, on the top secret level information system each year at least once secrecy check or system evaluation;

(VII) understand the level and type of secret information system management usage, detect and investigate all kinds of violations violations and secret events.

Chapter 5: information security level protection of password management

The State management sector on information password security level for the protection of password management and classification. According to the protected object in national security, social stability and economic development of the role and importance of the protection of the protected object and crypto, protected object is destroyed after the degree of hazard and password use sector, determines the nature of the hierarchy protection criteria for the password.

Information system operational, using the units using password protection grade, it shall comply with the information security level protection password management approach ", the information security level protection of commercial secret technical requirements such as password management regulations and related standards.

Article 35: information systems security level protection password with, use, and management, etc., should be strict implementation of national provisions relating to password management.

Article 36 of the operation, the use of information systems shall make full use of cryptography to protect against information systems. Use a password on the information related to State secrets and information system for protection, should be reported to the State secret code regulatory Administration approval, the password of the design, implementation, use, operation, maintenance and day-to-day management, etc., should be in accordance with the relevant provisions of the national password management and related standards; the use of a password is not related to State secrets of the information and information systems are protected, subject to the commercial password management and password protection of the relevant provisions of the classification and related standards, their passwords with usage should provide national password management bodies for the record.

Article 37 the use of cryptography on information system for system level protection construction and rectification of, you must use the password management departments of the State approved the use of or access to the sales of password protection, the products shall not be adopted abroad or unauthorized development of password products; unauthorised use with encryption capabilities of import information technology products.

Article 38 the password in the information system and evaluation of the work of the device password by State secret code regulatory Administration-approved testing organizations undertake, any of the other partDoor, units and individuals are not allowed in passwords are evaluated and monitored.

39 levels password management departments can periodically or regularly information system level protection password with, use, and management of inspection and evaluation, information on important crypto system password is equipped with, the use and management of every two years for at least one inspection and evaluation. In the process of supervision and inspection, found in security breaches or violations of the provisions related to password management or does not meet the password requirements, and associated standards, shall, in accordance with national provisions related to password management for disposal.

Chapter 6 legal liability

Article 40, paragraph III above information system operation, use the unit violates these measures require that any of the following acts by the public security organs, State security work sector and national administrations in accordance with the password work duties ordered its corrected; fails to correct the warning given, and to the competent departments informed, and recommendations to the direct responsible responsible staff and other personnel to deal with, and feedback processing results:

(A) is not stipulated by the present procedures for filing, examination and approval;

(Ii) is not stipulated by these regulations to implement a safety management system, measures;

(3) the provisions of this approach is not systematic security health check;

(4) the provisions of this approach is not conducting system safety technology assessment;

(5) after receipt of notice of rectification, refusing to be rectified;

(6) the provisions of this approach does not choose to use information security products and assessment bodies;

(7) the provisions of this approach is not truthfully provide relevant documents and evidence;

(VIII) violate privacy management provisions;

(9) provisions contrary to the password management;

(10) other provisions contrary to this approach.

Contrary to the provisions of the preceding paragraph, to cause serious harm to the related departments in accordance with the relevant laws and regulations.

41 information security regulatory authorities and their staff in carrying out supervision and management responsibilities, neglect, abuse, seeking, legally imposes the administrative sanction; the Constitution crime, legally investigates the legal responsibility.

Chapter 7 supplementary provisions

Article 42 was run information system operational, using the units from the way the purposes of 180 days to determine the information system security protection level; new information system in the design, planning phase to determine the security protection level.

Article 43 of this approach is called "above" contains the number of (-).

Article 44 of this approach their promulgation, the information security level conservation and management measures (implementation) "(gongtong [2006] 7) abolished at the same time.