Article 1 These Measures are formulated in accordance with the Regulations of People's Republic of China (PRC) Municipality on the Security Protection of Computer Information Systems and other relevant laws and regulations in order to standardize the management of information security level protection, improve the ability and level of information security, safeguard national security, social stability and public interests, and guarantee and promote information construction.
Article 2 The state organizes citizens, legal persons and other organizations to implement classified security protection of information systems by formulating unified management norms and technical standards for classified protection of information security, and supervises and manages the implementation of classified protection.
Article 3 Public security organs shall be responsible for the supervision, inspection and guidance of information security level protection. The state secrecy department is responsible for the supervision, inspection and guidance of the secrecy work in the level protection work. The national password management department is responsible for the supervision, inspection and guidance of the password work in the level protection work. Matters under the jurisdiction of other functional departments shall be managed by the relevant functional departments in accordance with the provisions of national laws and regulations. The information work office of the State Council and the local information leading group office are responsible for the inter-departmental coordination of grade protection.
Article 4 The competent department of information systems shall, in accordance with these Measures and relevant standards and norms, supervise, inspect and guide the information security level protection work of information system operators and users in their own industries, departments and regions.
Article 5 Information system operators and users shall fulfill their obligations and responsibilities of information security level protection in accordance with these Measures and relevant standards.
Chapter II Graded Protection
Article 6 The classification protection of national information security adheres to the principles of independent classification and independent protection. The level of information system security protection shall be determined according to the importance of the information system in national security, economic construction and social life, and the degree of harm to national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations after the information system is destroyed.
Article 7 The security protection levels of information systems are divided into the following five levels:
On the first level, after the information system is destroyed, it will harm the legitimate rights and interests of citizens, legal persons and other organizations, but it will not harm national security, social order and public interests.
On the second level, after the information system is destroyed, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or damage to social order and public interests, but it will not endanger national security.
At the third level, if the information system is destroyed, it will cause serious damage to social order and public interests, or damage to national security.
The fourth level, after the information system is destroyed, it will cause particularly serious damage to social order and public interests, or cause serious damage to national security.
The fifth level, after the information system is destroyed, it will cause particularly serious damage to national security.
Article 8 Operators and users of information systems shall protect information systems in accordance with these Measures and relevant technical standards, and the relevant information security supervision departments of the state shall supervise and manage their information security level protection.
The operating and using units of the first-level information system shall protect it in accordance with the relevant national management norms and technical standards.
The operating and using units of the secondary information system shall be protected in accordance with the relevant national management norms and technical standards. The national information security supervision department shall guide the information security level protection of the information system at the corresponding level.
Units that operate and use three-level information systems shall protect them in accordance with relevant national management norms and technical standards. The national information security supervision department shall supervise and inspect the information security level protection of the information system at the corresponding level.
Units that operate and use four-level information systems shall be protected in accordance with relevant national management norms, technical standards and special business requirements. The national information security supervision department shall conduct compulsory supervision and inspection on the information security level protection of the information system at the corresponding level.
Units operating and using Level 5 information systems shall protect them in accordance with national management norms, technical standards and special business security requirements. The state designates a special department to supervise and inspect the information security level protection of the information system at the corresponding level.
Chapter III Implementation and Management of Grade Protection
Article 9 Information system operators and users shall implement hierarchical protection in accordance with the Guidelines for the Implementation of Hierarchical Protection of Information Systems.
Article 10 Operators and users of information systems shall determine the level of security protection of information systems in accordance with these Measures and the Guidelines for Classification of Security Level Protection of Information Systems. If there is a competent department, it shall be examined and approved by the competent department.
Information systems that operate across provinces or across the country in a unified network can be determined by the competent authorities.
For the information system identified as Grade IV or above, the operating unit or the competent department shall submit it to the National Information Security Protection Level Expert Review Committee for review.
Article 11 After the level of information system security protection is determined, the operating and using units shall, in accordance with the national information security level protection management norms and technical standards, use information technology products that meet the relevant provisions of the state and meet the requirements of information system security protection level to carry out information system security construction or transformation.
Article 12 In the process of information system construction, the operating and using units shall, in accordance with the technical standards such as Classification Standard of Computer Information System Security Protection Level (GB 17859- 1999) and Basic Requirements for Information System Security Level Protection, Refer to General Security Technical Requirements for Information Systems (GB/T2027 1-2006), Basic Security Technical Requirements for Information Security Technology Networks (GB/T20270-2006), Operating System Security Technology, Information Security Technology Server Technology Requirements, and Information Security Technology Terminal Computer System Security Level Technical Requirements (GA/T)
Article 13 An operating and using entity shall formulate and implement a security management system that meets the requirements of the security protection level of this system with reference to management specifications such as Information Security Technology Information System Security Management Requirements (GB/T20269-2006), Information Security Technology Information System Security Engineering Management Requirements (GB/T20282-2006) and Basic Requirements for Information System Security Level Protection.
Article 14 After the information system construction is completed, the operation and use unit or its competent department shall select an evaluation institution that meets the conditions as stipulated in these Measures, and regularly evaluate the information system security level according to technical standards such as the requirements for information system security level protection and evaluation. The three-level information system is graded at least once a year, the four-level information system is graded at least once every six months, and the five-level information system is graded according to special safety requirements.
Information system operation and use units and their competent departments shall regularly check the security status of information systems and the implementation of security protection systems and measures. Self-inspection shall be carried out at least once a year for the level-3 information system, once every six months for the level-4 information system and according to special safety requirements for the level-5 information system.
After evaluation or self-examination, the information system security status does not meet the requirements of the security protection level, and the operating unit shall formulate a rectification plan.
Fifteenth information systems that have been operated (operated) above the second level shall, within 30 days after the security protection level is determined, go through the filing procedures with the local public security organs at or above the municipal level.
The newly-built information system above Grade II shall, within 30 days after it is put into operation, go through the filing formalities with the local public security organ at or above the municipal level.
The information system of the central government-owned units in Beijing, which operates across provinces or across the country and is uniformly classified by the competent department, shall be filed with the Ministry of Public Security by the competent department. Sub-systems running application information systems across provinces or nationwide in the unified network shall be filed with the local public security organs at or above the municipal level.
Article 16 When going through the formalities for filing the level of information system security protection, the information system security level protection filing form shall be filled in, and the information system above level 3 shall provide the following materials at the same time: (1) system topology and description; (2) System safety organization and management system; (3) Design implementation scheme or transformation implementation scheme of system safety protection facilities; (four) the list of information security products used by the system and their certification and sales license certificates; (five) the technical inspection and evaluation report that meets the system safety protection level after evaluation; (six) expert evaluation opinions on the level of information system security protection; (seven) the examination and approval opinions of the competent department on the level of information system security protection.
Article 17 After the information system is filed, the public security organ shall review the filing of the information system. If it meets the requirements of level protection, it shall issue a filing certificate of information system security level protection within 10 working days from the date of receiving the filing materials; If it is found that it does not conform to these Measures and relevant standards, it shall notify the filing unit to make corrections within 10 working days from the date of receiving the filing materials; If it is found that grading is not allowed, it shall notify the filing unit to re-examine and confirm within 10 working days from the date of receiving the filing materials.
After the operation and use unit or the competent department re-determines the information system level, it shall re-file with the public security organ in accordance with these measures.
Article 18 The public security organ that accepts the filing shall inspect the operation of the three-level and four-level information systems and the protection of users' information security levels. Check the three-level information system at least once a year, and check the four-level information system at least once every six months. The inspection of inter-provincial or national unified networking information system shall be the responsibility of the competent department.
The fifth-level information system shall be inspected by a special department designated by the state.
Public security organs and special departments designated by the state shall check the following items: (1) Whether the security requirements of information systems have changed and whether the original protection level is accurate; (two) the implementation of the safety management system and measures of the operating units; (three) the operation and use of units and their competent departments to check the security status of information systems; (four) whether the system security level assessment meets the requirements; (5) Whether the use of information security products meets the requirements; (six) information system security rectification; (seven) the conformity of the filing materials with the operation and use units and information systems; (eight) other matters that should be supervised and inspected.
Article 19 Units operating and using information systems shall accept the safety supervision, inspection and guidance of public security organs and special departments designated by the state, and truthfully provide the following information materials and data files related to information security protection to the public security organs and special departments designated by the state: (1) Changes in information system records; (2) Changes in security institutions and personnel; (3) Changes in information security management systems and measures; (4) Records on the operation status of the information system; (5) Records of regular information system security inspection by the operating unit and the competent department; (six) the technical evaluation report of the information system level evaluation; (7) Changes in the use of information security products; (eight) the emergency plan for information security incidents and the report on the results of emergency handling of information security incidents; (nine) information system security construction, rectification results report.
Twentieth public security organs found that the information system security protection status does not meet the relevant management norms and technical standards of information security level protection, it shall issue a rectification notice to the operating units. The operating and using units shall, according to the requirements of the rectification notice, carry out rectification in accordance with the management norms and technical standards. After the rectification is completed, the rectification report shall be filed with the public security organ. When necessary, the public security organ may organize an inspection of the rectification.
Article 21 Information systems above Grade III shall choose to use information security products that meet the following conditions: (1) Product research and development and production units are invested or controlled by China citizens, legal persons or the state, and have independent legal person status in People's Republic of China (PRC); (2) The core technologies and key parts of the products have independent intellectual property rights in China; (3) The product development and production entity and its main business and technical personnel have no criminal record; (4) The product development and production unit declares that it has not intentionally left or set up programs and functions such as loopholes, backdoors and trojans; (5) Not endangering national security, social order and public interests; (six) has been included in the information security product certification directory, it shall obtain the certification certificate issued by the national information security product certification body.
Article 22 Information systems above Grade III shall be evaluated by grade protection evaluation institutions that meet the following conditions: (1) Registered in People's Republic of China (PRC) (People's Republic of China (PRC)) (except Hong Kong, Macao and Taiwan); (2) China citizens, China legal persons or enterprises and institutions invested by the state (except Hong Kong, Macao and Taiwan); (three) engaged in relevant testing and evaluation work for more than two years, no illegal records; (four) the staff is limited to China citizens; (five) the legal person and its main business and technical personnel have no criminal record; (6) The technical equipment and facilities used meet the requirements of these Measures for information security products; (7) Having perfect safety management systems such as confidentiality management, project management, quality management, personnel management and training and education; (eight) does not pose a threat to national security, social order and public interests.
Article 23 Institutions engaged in information system security level assessment shall fulfill the following obligations: (1) Abide by relevant national laws, regulations and technical standards, provide safe, objective and fair testing and evaluation services, and ensure the quality and effect of assessment; (two) keep the state secrets, business secrets and personal privacy known in the evaluation activities, and guard against evaluation risks; (three) to educate the evaluators on security and confidentiality, sign a letter of responsibility for security and confidentiality with them, stipulate the security and confidentiality obligations and legal responsibilities that should be fulfilled, and be responsible for checking and implementing them.
The fourth chapter deals with the hierarchical protection and management of state secret information systems.
Article 24 A classified information system shall be protected in accordance with the basic requirements for classified protection of national information security, the regulations and technical standards for classified information system protection of state secrecy departments, and in combination with the actual situation of the system. Non-confidential information systems shall not handle state secret information.
Twenty-fifth classified information system according to the highest level of information processing, from low to high is divided into three levels: secret, confidential and top secret.
Units that construct and use classified information systems shall, on the basis of information specification and classification, determine the system level in accordance with the Administrative Measures for Classified Information System Level Protection and the National Secrecy Standard BMB 17-2006 Technical Requirements for Classified Protection of Computer Information Systems Involving State Secrets. For a classified information system with multiple security domains, each security domain can determine the protection level separately.
Security departments and institutions shall supervise and guide the construction and use of classified information systems, and accurately and reasonably classify the systems.
Article 26 The construction and use unit of the classified information system shall report the classification, construction and use of the classified information system to the secrecy department of the competent business department and the secrecy department responsible for the examination and approval of the system for the record, and accept the supervision, inspection and guidance of the secrecy department.
Twenty-seventh secret information system construction and use units should choose qualified units to undertake or participate in the design and implementation of secret information system.
The construction and use unit of classified information system shall design the scheme according to the management norms and technical standards of classified information system, according to the different requirements of confidentiality, confidentiality and top secret, and implement classified protection in combination with the actual situation of the system. The protection level is generally not lower than the national information security protection level of three, four and five.
Article 28 The information security products used in classified information systems shall be domestic products in principle, and shall be tested by testing institutions authorized by the State Secrecy Bureau in accordance with relevant national confidentiality standards. The products that pass the test should be reviewed and published by the State Secrecy Bureau.
Article 29 After the implementation of the system project, the construction and user of the classified information system shall apply to the security department, and the system evaluation institution authorized by the State Secrecy Bureau shall conduct security evaluation on the classified information system in accordance with the national security standard BMB22-2007 "Evaluation Guide for Grade Protection of Computer Information Systems Involving State Secrets".
Before the system is put into use, the construction and use unit of the classified information system shall, in accordance with the Provisions on the Administration of Examination and Approval of State Secret Information Systems, apply to the secrecy department at or above the municipal level with districts for system examination and approval. Only after passing the examination and approval can the classified information system be put into use. For the classified information system that has been put into use, the construction and use unit shall, after completing the rectification of the system in accordance with the requirements of classified protection, file with the security department.
Article 30 When applying for system approval or filing, the construction and use unit of confidential information system shall submit the following materials: (1) System design, implementation plan and review and demonstration opinions; (2) Qualification certification materials of the system contractor; (three) system construction and project supervision report; (four) the system safety inspection and evaluation report; (five) the system security organization and management system; (6) Other relevant materials.
Article 31 When the security level, connection scope, environmental facilities, main applications and the unit responsible for security and confidentiality management of the classified information system change, the construction and use unit shall promptly report to the security department responsible for examination and approval. The security department shall, according to the actual situation, decide whether to re-evaluate the approval.
Article 32 Units that construct and use classified information systems shall strengthen the confidentiality management in the operation of classified information systems in accordance with the national confidentiality standard BMB20-2007 "Management Standard for Hierarchical Protection of Information Systems Involving State Secrets", conduct regular risk assessments, and eliminate hidden dangers and loopholes in disclosure.
Article 33 The state and local secrecy departments at all levels shall supervise and manage the hierarchical protection of classified information systems in various regions and departments according to law, and do the following work well: (1) Guide, supervise and inspect the development of hierarchical protection; (two) to guide the construction and use of classified information systems, standardize information classification, and reasonably determine the protection level of the system; (three) to participate in the demonstration of the classified information system level protection scheme, and to guide the construction and use units to do a good job in the synchronous planning and design of confidential facilities; (four) to supervise and manage the qualification units of classified information system integration according to law; (five) strict implementation of system evaluation and approval, supervision and inspection of the implementation of the level protection management system and technical measures of the users of classified information systems; (six) to strengthen the supervision and inspection of the operation of confidential information systems. Secret and confidential information system at least once every two years, top secret information system at least once a year; (seven) to understand the management and use of all kinds of classified information systems at all levels, and to find and investigate all kinds of illegal leaks in a timely manner.
Chapter V Password Management of Information Security Level Protection
Thirty-fourth national password management departments to implement classified management of passwords protected by information security level. According to the role and importance of the protected object in national security, social stability and economic construction, the safety protection requirements and confidentiality of the protected object, the harm degree of the protected object after being destroyed, and the nature of the password-using department, the classification protection standards are determined.
Operators or users of information systems who use level-protected passwords shall comply with the password management regulations and related standards such as the Measures for the Administration of Information Security Level-protected Passwords and the Technical Requirements for Commercial Passwords for Information Security Level-protected Passwords.
Article 35 The provision, use and management of passwords in the security level protection of information systems shall strictly implement the relevant national regulations on password management.
Thirty-sixth operators and users of information systems should make full use of cryptographic technology to protect information systems. The use of passwords to protect information and information systems involving state secrets shall be reported to the State Cryptography Administration for examination and approval, and the design, implementation, use, operation and maintenance and daily management of passwords shall be implemented in accordance with the relevant provisions and standards of the State Cryptography Administration; Where passwords are used to protect information and information systems that do not involve state secrets, they shall abide by the Regulations on the Administration of Commercial Passwords and the relevant provisions and standards of classified and graded protection of passwords, and the use of passwords shall be filed with the national password management agency.
Thirty-seventh the use of cryptographic technology to carry out system-level protection construction and rectification of information systems, must use the password products approved or approved by the national password management department for security protection, and must not use the password products imported from abroad or developed without authorization; Without approval, imported information technology products with encryption function shall not be used.
Article 38 The evaluation of information system passwords and password equipment shall be undertaken by an evaluation institution recognized by the State Cryptography Administration, and no other department, unit or individual may evaluate and monitor passwords.
Thirty-ninth password management departments at all levels can regularly or irregularly check and evaluate the password configuration, use and management in the hierarchical protection of information systems, and check and evaluate the password configuration, use and management of important classified information systems at least once every two years. In the process of supervision and inspection, it is found that there are security risks or violations of the relevant provisions of password management or do not meet the requirements of relevant password standards, and it shall be disposed of in accordance with the relevant provisions of the state password management.
Chapter VI Legal Liability
Fortieth units operating and using information systems above Grade III violate the provisions of these Measures and commit any of the following acts, and the public security organs, state secrecy departments and state password management departments shall order them to make corrections within a time limit according to the division of responsibilities; If it fails to make corrections within the time limit, it shall be given a warning, and the situation shall be informed to the superior competent department, and it is suggested that the directly responsible person in charge and other directly responsible personnel be dealt with, and the handling results shall be fed back in time: (1) Failing to file and approve according to the provisions of these Measures; (two) failing to implement the safety management system and measures in accordance with the provisions of these measures; (three) failing to carry out system security inspection according to the provisions of these measures; (four) failing to carry out the system safety technical assessment according to the provisions of these measures; (5) Refusing to make rectification after receiving the rectification notice; (six) failing to choose to use information security products and assessment agencies according to the provisions of these measures; (seven) failing to provide relevant documents and supporting materials according to the provisions of these measures; (eight) in violation of the provisions of the confidentiality management; (9) Violating the provisions on password management; (ten) in violation of other provisions of these measures.
In violation of the provisions of the preceding paragraph, causing serious damage, the relevant departments shall deal with it in accordance with relevant laws and regulations.
Article 41 If the information security supervision department and its staff neglect their duties, abuse their powers or engage in malpractices for selfish ends when performing their duties of supervision and management, they shall be given administrative sanctions according to law; If a crime is constituted, criminal responsibility shall be investigated according to law.
Chapter VII Supplementary Provisions
Forty-second information system operators and users shall determine the information system security protection level within 180 days from the date of implementation of these Measures; The security protection level of the new information system is determined in the design and planning stage.
Forty-third the term "above" includes the number (level).
Article 44 These Measures shall come into force as of the date of promulgation, and the Administrative Measures for the Protection of Information Security Levels (Trial) (G.T.Z. [2006] No.7) shall be abolished at the same time.