Notice on Printing and Distributing the Administrative Measures for Classified Protection of Information Security
Public Security Departments (Bureaus), Security Bureaus, State Password Administration (Office of the State Password Administration Commission), Information Leading Group Offices of all provinces, autonomous regions and municipalities directly under the Central Government, Public Security Bureau, Security Bureau, State Password Administration, Information Leading Group Offices of Xinjiang Production and Construction Corps, Security Committee Offices of ministries and commissions of the central and state organs The leading group office for password work, the leading group office for informatization, and the confidentiality committee offices of various people's organizations:
In order to accelerate the promotion of classified protection of information security, standardize the management of classified protection of information security, improve the ability and level of information security assurance, safeguard national security, social stability and public interests, and safeguard and promote informatization construction, the Ministry of Public Security, the State Secrets Administration, the State Password Administration, and the State Council Information Work Office formulated the Administrative Measures for Classified Protection of Information Security 。 It is hereby printed and distributed to you. Please implement it carefully.
State Security Bureau of the Ministry of Public Security
State Encryption Administration Information Work Office of the State Council
June 22, 2007
Administrative Measures for Classified Protection of Information Security
general provisions
Article 1 These Measures are formulated in accordance with the Regulations of the People's Republic of China on the Security Protection of Computer Information Systems and other relevant laws and regulations in order to standardize the management of information security level protection, improve the ability and level of information security assurance, safeguard national security, social stability and public interests, and safeguard and promote information technology construction.
Article 2 The State organizes citizens, legal persons and other organizations to implement security protection for information systems at different levels, and supervises and manages the implementation of classified protection by formulating unified administrative norms and technical standards for classified protection of information security.
Article 3 The public security organs shall be responsible for the supervision, inspection and guidance of the work of classified protection of information security. The state secret protection department shall be responsible for the supervision, inspection and guidance of the secret protection work in the classified protection work. The State Password Administration Department is responsible for the supervision, inspection and guidance of password related work in the work of grade protection. Matters involving the jurisdiction of other functional departments shall be managed by relevant functional departments in accordance with national laws and regulations. The Informatization Work Office of the State Council and the office of the local informatization leading group are responsible for the interdepartmental coordination of hierarchical protection.
Article 4 The competent department of information system shall, in accordance with these Measures and relevant standards and specifications, supervise, inspect and guide the classified protection of information security of the industry, department or local information system operation and user units.
Article 5 The operation and use units of information systems shall perform the obligations and responsibilities of information security level protection in accordance with these Measures and relevant standards and specifications.
Chapter II Classification and Protection
Article 6 The national classified protection of information security shall adhere to the principle of independent classification and protection. The security protection level of the information system shall be determined according to the importance of the information system in national security, economic construction and social life, and the degree of harm to national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations caused by the destruction of the information system.
Article 7 The security protection level of the information system is divided into the following five levels:
First, if the information system is damaged, it will damage the legitimate rights and interests of citizens, legal persons and other organizations, but not national security, social order and public interests.
Second, if the information system is damaged, it will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or damage to social order and public interests, but not damage national security.
Level 3: If the information system is damaged, it will cause serious damage to social order and public interests, or damage to national security.
Level 4: If the information system is damaged, it will cause particularly serious damage to social order and public interests, or serious damage to national security.
Level 5: The destruction of information systems will cause particularly serious damage to national security.
Article 8 The information system operation and user units shall protect the information system in accordance with these Measures and relevant technical standards, and the relevant national information security regulatory authorities shall supervise and manage their information security level protection work.
The operation and use units of the first level information system shall protect them in accordance with the relevant national management norms and technical standards.
The operation and use units of the second level information system shall protect them in accordance with the relevant national management norms and technical standards. The national information security supervision department shall guide the information security level protection of the information system at this level.
The operation and use units of the third level information system shall protect them in accordance with the relevant national management norms and technical standards. The national information security supervision department shall supervise and inspect the information security level protection of the information system at this level.
The operation and user units of the fourth level information system shall protect them in accordance with the relevant national management norms, technical standards and special business needs. The national information security supervision department shall compulsorily supervise and inspect the information security level protection of the information system at this level.
The operation and user units of the fifth level information system shall protect them in accordance with the national management norms, technical standards and special business security requirements. The State designates special departments to supervise and inspect the classified protection of information system information security at this level.
Chapter III Implementation and Management of Graded Protection
Article 9 The information system operation and user units shall implement the classified protection work in accordance with the Guidelines for the Implementation of Classified Protection of Information System Security.
Article 10 The operating and using units of information systems shall determine the security protection level of information systems in accordance with these Measures and the Guidelines for Classification of Security Protection of Information Systems. If there is a competent department, it shall be examined and approved by the competent department.
The competent department may uniformly determine the security protection level of the information system that operates across provinces or across the country.
For the information system to be determined as Level 4 or above, the operation and user unit or competent department shall request the National Information Security Protection Level Expert Review Committee for review.
Article 11 After the security protection level of an information system is determined, the operation and user units shall, in accordance with the national norms and technical standards for the management of classified protection of information security, use information technology products that meet the relevant national regulations and meet the requirements for the security protection level of the information system to carry out the security construction or reconstruction of the information system.
Article 12 In the process of information system construction, the operation and user units shall follow the technical standards such as the Classification Criteria for Security Protection of Computer Information Systems (GB17859-1999), the Basic Requirements for Security Classification Protection of Information Systems, and refer to the General Security Technical Requirements for Information Systems (GB/T20271-2006) Information Security Technology Network Basic Security Technical Requirements (GB/T20270-2006), Information Security Technology Operating System Security Technical Requirements (GB/T20272-2006), Information Security Technology Database Management System Security Technical Requirements (GB/T20273-2006), Information Security Technology Server Technical Requirements Information Security Technology - Technical Requirements for Security Classification of Terminal Computer System (GA/T671-2006) and other technical standards shall simultaneously build information security facilities that meet the requirements of this classification.
Article 13 The operation and use units shall refer to the requirements of Information Security Technology Information System Security Management Requirements (GB/T20269-2006), Information Security Technology Information System Security Engineering Management Requirements (GB/T20282-2006), Basic Requirements for Classified Protection of Information System Security and other management specifications, Develop and implement a safety management system that meets the safety protection level requirements of the system.
Article 14 After the construction of the information system is completed, the operation and user units or their competent departments shall select the evaluation institutions that meet the conditions specified in these Measures, and regularly carry out the level evaluation of the security level of the information system according to the Technical Standards such as the Evaluation Requirements for Classified Protection of Information System Security. The third level information system shall conduct a rating evaluation at least once a year, the fourth level information system shall conduct a rating evaluation at least once every half a year, and the fifth level information system shall conduct a rating evaluation based on special security needs.
The information system operation and user units and their competent departments shall regularly carry out self-examination on the security status of the information system, the implementation of the security protection system and measures. The third level information system shall conduct self inspection at least once a year, the fourth level information system shall conduct self inspection at least once every half a year, and the fifth level information system shall conduct self inspection according to special security needs.
If, through evaluation or self inspection, the security status of the information system fails to meet the requirements of the security protection level, the operation and user units shall formulate a plan for rectification.
Article 15 Within 30 days after the security protection level is determined, the operating and using units of the information system above the second level that has been operated (operated) shall go through the filing formalities with the public security organ at or above the level of the city divided into districts where they are located.
The newly built information system above the second level shall, within 30 days after it is put into operation, go through the filing formalities with the public security organ at or above the city level with districts where it is located.
The information system of units in Beijing subordinate to the Central Government, which are interconnected across provinces or across the country and are uniformly graded by the competent department, shall be filed with the Ministry of Public Security by the competent department. Branches of information systems that run across provinces or across the country in a unified way and are used in various places shall be reported to the public security organ at or above the level of a city divided into districts for the record.
Article 16 When going through the filing formalities for the security protection level of the information system, the Registration Form for the Security Protection Level of the Information System shall be filled in. The information systems above the third level shall also provide the following materials: (1) system topology and description; (2) System safety organization and management system; (3) Design implementation scheme or reconstruction implementation scheme of system safety protection facilities; (4) List of information security products used by the system and their certification and sales license; (5) Technical inspection and evaluation report meeting the system security protection level after evaluation; (6) Expert review opinions on security protection level of information system; (7) The competent department reviews and approves the opinions on the security protection level of the information system.
Article 17 After the filing of the information system, the public security organ shall review the filing of the information system, and issue the filing certificate of the classified protection of the information system security within 10 working days from the date of receiving the filing materials if the requirements for classified protection are met; If it is found that it does not conform to the Measures and relevant standards, it shall notify the filing unit to make corrections within 10 working days from the date of receiving the filing materials; If it is found that the classification is inaccurate, it shall notify the filing unit to review and determine again within 10 working days from the date of receiving the filing materials.
After the operation and user unit or the competent department redefines the level of the information system, it shall re file with the public security organ in accordance with these Measures.
Article 18 The public security organ accepting the filing shall inspect the operation of the third and fourth level information systems and the information security level protection of the user units. The third level information system shall be checked at least once a year, and the fourth level information system shall be checked at least once half a year. The inspection of information systems that operate across provinces or across the country through unified networking shall be carried out jointly with the competent departments.
The fifth level information system shall be inspected by the special department designated by the State.
The public security organ and the special department designated by the state shall inspect the following matters: (1) whether the security requirements of the information system have changed and whether the original protection level is accurate; (2) Implementation of safety management system and measures of operation and user units; (3) Inspection of information system security by operation and user units and their competent departments; (4) Whether the system security level evaluation meets the requirements; (5) Whether the use of information security products meets the requirements; (6) Information system security rectification; (7) Conformity of filing materials with operation, user and information system; (8) Other matters that should be supervised and inspected.
Article 19 The units that operate and use the information system shall accept the safety supervision, inspection and guidance of the public security organs and the special departments designated by the State, and truthfully provide the following information materials and data files related to information security protection to the public security organs and the special departments designated by the State: (1) the changes of the information system filing items; (2) Changes of safety organization and personnel; (3) Changes in information security management system and measures; (4) Information system operation status record; (5) Regular inspection records of the security status of the information system by the operation and user units and the competent department; (6) Technical evaluation report on information system level evaluation; (7) Changes in the use of information security products; (8) Information security incident emergency plan, information security incident emergency response result report; (9) Report on security construction and rectification results of information system.
Article 20 If the public security organ finds that the security protection status of the information system does not conform to the relevant management norms and technical standards of information security level protection after inspection, it shall issue a notice of rectification to the operation and user units. The operation and user units shall make rectification according to the requirements of the rectification notice, management specifications and technical standards. After the rectification is completed, the rectification report shall be filed with the public security organ. When necessary, the public security organ may organize an inspection of the rectification.
Article 21 Information systems at or above the third level shall choose to use information security products that meet the following conditions: (1) If the product development and production units are invested by Chinese citizens, legal persons, or invested or controlled by the state, they have independent legal personality within the territory of the People's Republic of China; (2) The core technology and key components of the product have our own intellectual property rights; (3) The product development and production unit and its main business and technical personnel have no criminal record; (4) The product development and production units declare that they have not intentionally left or set up loopholes, backdoors, trojans and other programs and functions; (5) No harm to national security, social order and public interests; (6) Those listed in the information security product certification catalogue shall obtain the certification certificate issued by the national information security product certification authority.
Article 22 Information systems at or above the third level shall be evaluated by a rating protection evaluation institution that meets the following conditions: (1) It is registered in the People's Republic of China (excluding Hong Kong, Macao and Taiwan); (2) Enterprises and institutions invested by Chinese citizens, Chinese legal persons or the state (excluding Hong Kong, Macao and Taiwan); (3) Engaged in relevant testing and evaluation for more than two years without any illegal record; (4) The staff are only Chinese citizens; (5) Legal person, main business and technical personnel have no criminal record; (6) The technical equipment and facilities used shall meet the requirements of these Measures for information security products; (7) Have complete security management systems such as confidentiality management, project management, quality management, personnel management, training and education; (8) It does not pose a threat to national security, social order and public interests.
Article 23 Institutions engaged in the evaluation of information system security levels shall fulfill the following obligations: (1) Abide by relevant national laws, regulations and technical standards, provide safe, objective and impartial testing and evaluation services, and ensure the quality and effect of the evaluation; (2) Keep the state secrets, trade secrets and personal privacy known in the evaluation activities, and prevent the evaluation risks; (3) Educate the evaluation personnel on security and confidentiality, sign a security and confidentiality responsibility letter with them, specify the security and confidentiality obligations to be performed and the legal responsibilities to be assumed, and be responsible for the inspection and implementation.
Chapter IV Hierarchical Protection and Management of Information Systems Involving State Secrets
Article 24 The confidential information system shall be protected in accordance with the basic requirements of the national information security level protection, the administrative regulations and technical standards of the national secret protection department on the classified protection of the confidential information system, and the actual situation of the system. Non confidential information systems shall not handle state secret information.
Article 25 The confidential information system can be divided into three levels: secret, confidential and top secret according to the highest secret level of the information processed.
The construction and use unit of secret related information system shall, on the basis of information specification and classification, determine the system level according to the classified protection management method of secret related information system and the national confidentiality standard BMB17-2006 Technical Requirements for Classified Protection of Computer Information System Involving State Secrets. For classified information systems containing multiple security domains, each security domain can determine the protection level separately.
Secrecy departments and institutions shall supervise and guide the construction and use units of secret related information systems to accurately and reasonably grade the systems.
Article 26 The construction and use unit of the secret related information system shall timely report the classification and construction and use of the secret related information system to the secrecy work organization of the competent business department and the secrecy work department responsible for system approval for filing, and accept the supervision, inspection and guidance of the secrecy department.
Article 27 The construction and use unit of secret related information system shall select the unit with secret related integration qualification to undertake or participate in the design and implementation of secret related information system.
The construction and use unit of secret related information system shall carry out scheme design and implement classified protection according to the management norms and technical standards of classified protection of secret related information system, different requirements of secret, confidential and top secret levels, and in combination with the actual situation of the system. The protection level is generally not lower than the level of the third, fourth and fifth national information security level protection.
Article 28 In principle, the information security and confidentiality products used in the confidential information system shall be domestic products, and shall pass the testing conducted by the testing agency authorized by the State Secrets Administration in accordance with the relevant national confidentiality standards. The products that pass the testing shall be reviewed and published by the State Secrets Administration.
Article 29 After the implementation of the system project, the construction and use unit of the secret related information system shall apply to the security department, and the system evaluation institution authorized by the State Secrets Administration shall conduct the security and confidentiality evaluation of the secret related information system in accordance with the national security standard BMB22-2007 "Evaluation Guide for Graded Protection of Computer Information Systems Involving State Secrets".
Before the confidential information system is put into use, the construction and use unit shall apply to the security work department at or above the level of the city divided into districts for system approval in accordance with the Administrative Provisions on the Approval of Information Systems Involving State Secrets. The confidential information system can be put into use only after it is approved. The construction and use unit of the confidential information system that has been put into use shall file with the confidentiality department after completing the system rectification according to the requirements of hierarchical protection.
Article 30 When applying for system approval or filing, the construction and use unit of secret related information system shall submit the following materials: (1) system design, implementation scheme and review and demonstration opinions; (2) Qualification certificates of system contractors; (3) System construction and project supervision report; (4) System security and confidentiality detection and evaluation report; (5) System security and confidentiality organization and management system; (6) Other relevant materials.
Article 31 In case of any change in the confidentiality level, connection scope, environmental facilities, main applications, and the unit responsible for security and confidentiality management of the confidential information system, its construction and use unit shall report to the security work department in charge of examination and approval in a timely manner. The confidentiality department shall decide whether to re evaluate and approve it according to the actual situation.
Article 32 The construction and use unit of the secret related information system shall strengthen the confidentiality management in the operation of the secret related information system, regularly conduct risk assessment, and eliminate hidden dangers and loopholes of leakage of secrets in accordance with the national confidentiality standard BMB20-2007 "Management Specification for Classified Protection of Information Systems Involving State Secrets".
Article 33 The national and local security work departments at all levels shall supervise and manage the classified protection work of the secret related information systems of all regions and departments according to law, and do the following work well: (1) guide, supervise and inspect the implementation of the classified protection work; (2) Guide the construction and use unit of secret related information system to standardize the information classification and reasonably determine the system protection level; (3) Participate in the demonstration of classified protection scheme of secret related information system, and guide the construction unit to do a good job in synchronous planning and design of security facilities; (4) Supervise and manage secret related information system integration qualification units according to law; (5) Strictly carry out system evaluation and approval, supervise and inspect the implementation of classified protection management system and technical measures of secret related information system construction and use units; (6) Strengthen the confidentiality supervision and inspection during the operation of confidential information system. Confidentiality inspection or system evaluation shall be carried out at least once every two years for secret and confidential information systems, and at least once every year for top secret information systems; (7) Understand and master the management and use of various secret related information systems at all levels, and timely discover and investigate all kinds of illegal acts and leakage events.
Chapter V Password Management for Classified Protection of Information Security
Article 34 The State Password Administration Department shall implement classified and hierarchical management of the passwords protected by the information security level. According to the role and importance of the protected object in national security, social stability and economic construction, the security protection requirements and confidentiality degree of the protected object, the damage degree of the protected object after being damaged, and the nature of the password using department, etc., the level protection criteria of passwords are determined.
If the information system operators and users use passwords for hierarchical protection, they shall comply with password management regulations and relevant standards such as the Administrative Measures for Classified Protection Passwords of Information Security, the Technical Requirements for Classified Protection Commercial Passwords of Information Security, etc.
Article 35 The allocation, use and management of passwords in the classified protection of information system security shall strictly comply with the relevant provisions of the State on password management.
Article 36 The units that operate and use the information system shall make full use of password technology to protect the information system. The use of passwords to protect information and information systems involving state secrets shall be reported to the State Password Administration for approval. The design, implementation, use, operation maintenance and daily management of passwords shall be carried out in accordance with the relevant provisions and standards of the State Password Administration; The use of passwords to protect information and information systems that do not involve state secrets must comply with the Regulations on the Administration of Commercial Passwords and the relevant provisions and standards on classified and classified protection of passwords, and the allocation and use of passwords should be reported to the State Password Administration for the record.
Article 37 Where crypto technology is used to construct and rectify the information system for system level protection, the crypto products approved for use or approved for sale by the national crypto administration department must be used for security protection, and the crypto products imported from abroad or developed without authorization shall not be used; Without approval, imported information technology products containing encryption functions shall not be used.
Article 38 The evaluation of passwords and password devices in the information system shall be undertaken by the evaluation institution recognized by the State Password Administration, and no other department, unit or individual shall evaluate and monitor passwords.
Article 39 Password management departments at all levels can regularly or irregularly check and evaluate the allocation, use and management of passwords in the work of classified protection of information systems, and check and evaluate the allocation, use and management of passwords in important confidential information systems at least once every two years. In the process of supervision and inspection, if it is found that there are security risks or that it violates the relevant provisions of password management or fails to meet the requirements of the relevant standards for passwords, it shall be handled in accordance with the relevant provisions of the national password management.
Chapter VI Legal Liability
Article 40 If the operation and use unit of the information system at or above the third level violates the provisions of these Measures and commits one of the following acts, the public security organ, the state security work department and the state password work administration department shall, according to the division of responsibilities, order it to correct within a time limit; If it fails to make corrections within the time limit, it will be given a warning and reported to its superior competent department. It is suggested that the person in charge and other persons directly responsible should be dealt with, and the handling results should be fed back in time: (1) it is not filed and approved according to the provisions of the Measures; (2) Failing to implement the safety management system and measures in accordance with the Measures; (3) Failing to carry out system safety inspection according to the provisions of the Measures; (4) Failing to carry out system security technology evaluation in accordance with the provisions of the Measures; (5) Refusing to rectify after receiving the rectification notice; (6) Failing to use information security products and evaluation institutions in accordance with the provisions of these Measures; (7) Failing to truthfully provide relevant documents and supporting materials in accordance with the provisions of these Measures; (8) Violation of confidentiality management regulations; (9) Violation of password management regulations; (10) Violating other provisions of the Measures.
Those who violate the provisions of the preceding paragraph and cause serious damage shall be dealt with by the relevant departments in accordance with relevant laws and regulations.
Article 41 Where the information security supervision department and its staff neglect their duties, abuse their power, and engage in malpractices for personal gain in performing their supervision and management duties, they shall be given administrative sanctions according to law; If a crime is constituted, criminal responsibility shall be investigated according to law.
Chapter VII Supplementary Provisions
Article 42 The operating and using units of the information systems that have been operated shall determine the security protection level of the information systems within 180 days from the date of implementation of these Measures; The security protection level of the new information system shall be determined in the design and planning stages.
Article 43 The term "above" as mentioned in these Measures includes the number (grade).
Article 44 These Measures shall come into force as of the date of promulgation, and the Administrative Measures for Classified Protection of Information Security (for Trial Implementation) (GTZ [2006] No. 7) shall be repealed at the same time.