Administrative Measures for the Hierarchical Protection of Information Security

Release Date: 06-22-2007

Source: Ministry of Industry and Information Technology

Chinese Title: 信息安全等级保护管理办法

Gong Tong Zi [2007] No. 43

Chapter I General Provisions

Article 1 For the purpose of regulating the administration of the hierarchical protection of information security, improving the support capacity and level for information security, maintaining national security, social stability and public interests, and safeguarding and promoting the informatization process, these Measures are formulated in accordance with the Regulations of the People’s Republic of China on the Security Protection of Computer Information System and other relevant laws and regulations.

Article 2 The State shall, by developing nationally effective good practice and technical standards for the hierarchical protection of information security, organize citizens, legal persons and other organizations to carry out hierarchical security protection of information systems, and supervise and administer the hierarchical protection work.

Article 3 The public security organs shall take charge of supervising, inspecting and guiding the hierarchical protection of information security. The state secrecy authorities shall take charge of supervising, inspecting and guiding the secrecy-related work in the hierarchical protection of information security. The state cryptography adminstration shall take charge of supervising, inspecting and guiding the cryptogram work concerned in the hierarchical protection of information security. Matters under the jurisdiction of any other functional department shall be subject to the administration thereby in accordance with the relevant laws and regulations of the State. The information office of the State Council and the offices of local leadership groups for informatization shall take charge of the interdepartmental coordination work for the hierarchical protection of information security.

Article 4 The department in charge of information system shall regulate, urge, inspect and guide the hierarchical protection of information security of all entities operating and using an information system in the industry, department or region concerned.

Article 5 Entities operating and using information systems shall perform their obligations and duties of the hierarchical protection of information security in accordance with these Measures and the relevant standards.

Chapter II Grading and Protection

Article 6 The hierarchical protection of the information security at the national level shall follow the principle of “independent grading and independent protection”. The security protection grade of an information system shall be determined according to such factors as the degree of importance of the information system in national security, economic development and social activities as well as the degree of hazards of the information system to national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations in case such information system is destroyed.

Article 7 The security protection of an information system may be graded into five as follows:Grade I: the destruction of a Grade I information system will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but will cause no damage to national security, social order or public interests.

Grade II: the destruction of a Grade II information system will cause material damage to the legitimate rights and interests of citizens, legal persons and other organizations or cause damage to social order and public interests, but will not damage national security.

Grade III: the destruction of a Grade III information system will cause material damage to social order and public interests or will cause damage to national security.

Grade IV: the destruction of a Grade IV information system will cause particularly material damage to social order and public interests or will cause material damage to national security.

Grade V: the destruction of a Grade V information system will cause particularly material damage to national security.

Article 8 Entities operating and using information systems shall protect information systems in accordance with these Measures and the relevant technical standards, and the state departments in charge of the supervision and administration of information security shall supervise and administer the hierarchical protection work conducted by these entities.Entities operating and using Grade I information system shall protect the information system in accordance with relevant good practice and technical standards of the State.

Entities operating and using Grade II information system shall protect the information system in accordance with relevant good practice and technical standards of the State. The state departments in charge of the supervision and administration of information security shall supervise and administer the hierarchical protection work on information security of the information system of such Grade.

Entities operating and using Grade III information system shall protect the information system in accordance with relevant good practice and technical standards of the State. The state departments in charge of the supervision and administration of information security shall supervise and administer the hierarchical protection work on information security of the information system of such Grade.

Entities operating and using Grade IV information system shall protect the information system in accordance with relevant good practice and technical standards of the State, as well as special security requirements on business. The state departments in charge of the supervision and administration of information security shall compulsively supervise and administer the hierarchical protection work on information security of the information system of such Grade.

Entities operating and using Grade V information systems shall protect the information system in accordance with relevant good practice and technical standards of the State, as well as special security requirements on business. The department designated by the State shall specially supervise and administer the hierarchical protection work on information security of the information system of such Grade.

Chapter III Implementation and Administration of Hierarchical Protection

Article 9 Entities operating and using an information system shall carry out the hierarchical protection work in accordance with the Guide for the Implementation of Hierarchical Security Protection of Information Systems.

Article 10 Entities operating and using an information system shall determine the security protection grade of the information system in accordance with these Measures and the Guide for the Grading of Security Protection of Information Systems, and report the grade to the department in charge (if any) for examination and approval.The security protection grade of an information system running via a unified trans-provincial or national network shall be determined by the department in charge in a unified way.

As for an information system to be determined as Grade IV or above, its operator or user or the department in charge shall have it assessed by the expert committee on state information security protection grades.

Article 11 After the security protection grade of an information system is determined, its operator or user shall, in accordance with the good practice for the hierarchical security protection of information at the national level and the relevant technical standards, use information technology products that conform to the relevant provisions of the State and satisfy the requirements on the protection grade for the security construction or reconstruction of the information system.

Article 12 In the process of constructing an information system, the operator or user shall synchronously construct the information security facilities that satisfy the requirements of the protection grade of the information system in accordance with the technical standards such as the Criteria for Grading of Security Protection of Computer Information System (GB17859-1999), the Basic Requirements for Graded Security Protection of Information System, with reference to the Information Security Technology-the General Security Technical Requirements for Information Systems (GB/T20271-2006), the Information Security Technology-the Security Technical Requirements for Network Basis (GB/T20270-2006), the Information Security Technology-the Security Technical Requirements for Operating Systems (GB/T20272-2006), the Information Security Technology-the Security Technical Requirements for Database Management Systems (GB/T20273-2006), the Information Security Technology-the Technical Requirements for Servers, and the Information Security Technology-the Security Technical Requirements for Terminal Computer Systems (GA/T671-2006).

Article 13 An entity operating and using an information system shall develop a security management system satisfying the requirements of the protection grade of its information system in accordance with the Information Security Technology-the Requirements for the Security Management of Information Systems (GB/T20269-2006), the Information Security Technology- Management Requirements for Information System Security Engineering (GB/T20282-2006) and the Basic Requirements on the Hierarchical Security Protection of Information System, etc., and put it into practice.

Article 14 After an information system is completed, its operator or user or the department in charge of it shall select an evaluation agency which satisfies the conditions prescribed in these Measures to conduct evaluations on the security grade status of the information system on a regular basis in accordance with such technical standards as the Evaluation Requirements on the Hierarchical Security Protection of Information System. At least one evaluation shall be conducted for a Grade III information system every year, at least one evaluation shall be conducted for a Grade IV information system every half year, while a Grade V information system shall be evaluated in light of the special security demands.The entity operating or using an information system and the department in charge of it shall conduct self-inspection on the security status of the information system, the security protection system and the implementation of the relevant measures on a regular basis. At least one self-inspection shall be conducted for a Grade III information system every year, at least one self-inspection shall be conducted for a Grade IV information system every half year, while a Grade V information system shall be inspected in light of the special security demands.

If, upon evaluation or self-inspection, the security status of an information system does not satisfy the requirements of its security protection grade, its operator or user shall work out a plan of rectification.

Article 15 As for an information system of Grade II or above which has been put into operation, its operator or user shall, within 30 days since the date when its security protection grade is determined, complete the record-filing procedures at the local public security organ at the level of city divided into districts or above.For an information system of Grade II or above newly built, its operator or user shall, within 30 days after it is put into operation, complete the record-filing procedures at the local public security organ at the level of municipality divided into districts or above.

As for the information system of a Beijing-located entity subordinated to the Central Government, if it is operated via a trans-provincial or nationwide network and its security grade is determined by the department in charge of it in a unified way, the department in charge shall complete the record-filing procedures at the public security organ. As for an information system which is operated via a trans-provincial or nationwide network, any of its branch systems operated and applied in different regions shall be filed for record with the local public security organ at the level of cities divided into districts or above.

Article 16 To go through record-filing procedures for the security protection grade of an information system, the Record-filing Form for Graded Security Protection of Information System shall be filled out, and, for an information system of Grade III or above, the following materials shall also be submitted:1. The topological structure of the system and a description thereon;

2. The organization and management system for the system security;

3. The plan for implementing the design of security protection facilities or the reconstruction plan;

4. A list of the information security products used for the system and the certification and sales permit of each such product;

5. A technical testing and evaluation report proving that the system satisfies the requirements of its security protection grade;

6. The review opinions of the expert committee on information system security protection grades; and

7. The opinions of the department in charge when examining and approving the security protection grade of the system.

Article 17 After an information system is filed for record, the public security organ shall examine the record-filing situation of the information system, if it satisfies the hierarchical protection requirements, the public security organ shall issue the record-filing certificate on the security protection grade of the information system within 10 days since the date when the record-filing materials are received. If it is found unconformity with these Measures or the relevant standards, the public security organ shall, within 10 days since the date when the record-filing materials are received, notify the entity filing the information system for record to correct. If it is found that the grade of the information system is wrongly determined, the public security organ shall, within 10 days since the date when the record-filing materials are received, notify the entity concerned to re-determine the grade.Once re-determining the grade of an information system, it operator or user or the department in charge shall file for record again with the public security organ in accordance with these Measures.

Article 18 The public security organ accepting the record-filing materials shall inspect operators or user’ work of hierarchical security protection of information systems of Grade III or IV. At least one inspection shall be conducted every year for an information system of Grade III, and every half year for an information system of Grade IV. Inspection over an information system operated via a trans-provincial or nationwide network shall be conducted together with the department in charge of it.Inspection on an information system of Grade V shall be conducted by a special department designated by the State.

The public security organ or the special department designated by the state shall inspect the following matters:

1. Whether there is any change in the security demand of the information system and whether the protection grade is correctly determined;

2. Whether its operator or user has properly implemented the security management system and the relevant measures;

3. The results of the security status inspection conducted by its operator or user and the department in charge of it;

4. Whether the evaluation on the security protection grade has been conducted in accordance with the relevant requirements;

5. Whether the information security products used satisfy the relevant requirements;

6. The rectification situation of security of information system;

7. Whether the record-filing materials are consistent with the situation of its operator or user and the information system; and

8. Other matters to be supervised and inspected.

Article 19 Entities operating or using an information system shall be subject to the security supervision, inspection and guidance provided by the public security organ or the special department designated by the State, and truthfully provide them with the following information materials and data files about information security protection:1. Changes in the matters of record filing;

2. Changes in the security organization and personnel;

3. Changes in the information security management system and the relevant measures;

4. Record of the operating status of the information system;

5. Record of the inspections conducted by its operator or user and the department in charge of it on the security status of the information system on a regular basis;

6. The technical evaluation report on its security protection grade;

7. Changes in the use of information security products;

8. The plan for response to information security emergencies and the report on the results of response to such emergencies; and

9. The report on development of information system security or rectification results.

Article 20 Where the public security organ finds that the security protection status of an information system does not conform to the relevant good practice and technical standards for the hierarchical protection of information security, it shall send a notice of rectification to the operator or user concerned, which shall, as required in the notice, make rectifications in accordance with the relevant good practice and technical standards, and file the rectification report with the public security organ for the record. The public security organ may inspect the rectification when necessary.

Article 21 For an information system of Grade III or above, information security products satisfying the following requirements shall be selected for use:1. The developer or manufacturer of the product shall be invested by the Chinese citizens or the Chinese legal persons or invested or controlled by the State and shall have independent status of a legal person in the People’s Republic of China;

2. The core technology and the critical component of the product shall have independent intellectual property rights in China;

3. The developer or manufacturer of the product and its major business and technical personnel has no criminal record;

4. The developer or manufacturer of the product has declared that it has not intentionally setup any loophole, back door, trojan or any other such program or function;

5. The product does not constitute any harm to national security, social order or public interest; and

6. An authentication certificate shall have been obtained from the state information security product certification authority if the product has been listed into the information security product certification catalogue.

Article 22 Evaluations on the hierarchical protection of an information system of Grade III or above shall be conducted by an agency satisfying the following requirements:1. It is established within the People’s Republic of China (excluding Hong Kong, Macau and Taiwan);

2. It is an enterprise or a public institution invested by the Chinese citizens, the Chinese legal persons or the State (excluding Hong Kong, Macau and Taiwan);

3. It has been engaging in the relevant testing and evaluation work for 2 years or more and has a clean record;

4. All its staff are Chinese nationals;

5. Neither its legal person nor any of its major business and technical personnel has a criminal record;

6. Its technical equipment and facilities shall satisfy the requirements for information security products as provided in these Measures;

7. It has sound systems regarding secrecy management, project management, quality control, personnel management, training and education and other security-related management; and

8. It does not constitute any threat to national security, social order or public interests.

Article 23 An information system security grade evaluation agency shall fulfill the following obligations:1. Abiding by the relevant state laws, regulations and technical standards, providing safe, objective and impartial testing and evaluating services and guaranteeing the quality and efficacy of such evaluations;

2. Keeping the state secrets, trade secrets and individual privacy informed of in conducting evaluation activities, and preventing evaluation risks; and

3. Providing security secrecy education to evaluating personnel, concluding security secrecy responsibility documents with them which shall stipulate the security secrecy obligations and corresponding legal liability, and being responsible for inspecting the implementation thereof.

Chapter IV Administration of the Hierarchical Protection of Information Systems Involving State Secrets

Article 24 An secret-involved information system shall be under proper protection according to the basic requirements on the hierarchical protection of information security on a national basis, in accordance with the administrative provisions and technical standards of the state secrecy department on the hierarchical protection of secret information and in light of the actual situation.Only secret-involved information systems may process information involving state secrets.

Article 25 Secret-involved information systems may be classified into secret, confidential and top secret in an ascending sequence according to the secret degree of the information to be processed by them.The constructor or user of a secret-involved information system shall, on the basis of legally and correctly determining the secret degree of the information to be processed by it, determine the grade of the system according to the administrative measures for the hierarchical protection of secret-involved information systems and the Technical Requirements on the Hierarchical Protection of Computer Information Systems Involving State Secrets (the state secrecy standards BMB17-2006). As for any secret-involved information system containing two or more security domains, the protection grade of each security domain may be determined separately.

Secrecy departments and institutions shall supervise and guide secret-involved information system constructors and users to determine the secret degree of information systems in an accurately and reasonable manner.

Article 26 The constructor or user of a secret-involved information system shall report the grading, construction and use of the system to the secrecy organ of the department in charge and the secrecy department in charge of examining and approving the system for record, and shall be subject to the supervision, inspection and guidance of the secrecy department.

Article 27 The constructor or user of a secret-involved information system shall select an entity qualified for secret information integration to undertake or participate in the design and operation of the secret-involved information system.The constructor or user of a secret-involved information system shall design and exercise hierarchical protection in accordance with the good practice and technical standards for the hierarchical protection of secret-involving information systems, under the different requirements on secret, confidential and top secret and in light of the actual conditions. And the protection level shall be generally not below Grade III, Grade IV and Grade V, respectively.

Article 28 Home-made products shall be given priority when selecting information security secrecy products for a secret-involved information system to use. Such products shall be tested by an inspection agency authorized by the State Secrecy Bureau, which shall release a catalogue of products passing the testing.

Article 29 The constructor or user of a secret-involved information system shall, after the system engineering is completed, apply to the secrecy department for subjecting the system to a security secrecy evaluation conducted by an evaluation agency authorized by the State Secrecy Bureau in accordance with the Guide for Evaluating the Hierarchical protection of Computer Information Systems Involving State Secrets (the state secrecy standards BMB22-2007).Prior to putting a system into operation, the constructor or user shall, in accordance with the Administrative Provisions on the Examination and Approval of Information Systems Involving State Secrets, apply to the secrecy department at the level of city divided into districts or above for examination and approval. The information system may not be put into operation unless it is approved. As for a secret-involved information system which has been put into use, the entity constructing or using it shall, after rectifying in accordance with the hierarchical protection requirements, file the same with the secrecy department for the record.

Article 30 The constructor or user of a secret-involved information system shall submit the following application materials for examination and approval or record-filing:1. A plan for the design and operation of the system, and the examination and argumentation opinions;

2. Supporting materials on the qualification of the entity contracting the construction of the system;

3. A report of the situation on the construction of the system and the supervision over the project;

4. A security secrecy inspection and evaluation report;

5. Basic information about the security secrecy organization and the management system; and

6. Other relevant materials.

Article 31 Where there is any change in the secret degree, connection area, environmental facilities, principal applications or the entity accountable for the security secrecy management of a secret-involved information system, the constructor or user of the system shall report the change to the secrecy department responsible for its examination and approval in a timely manner. The secrecy department shall decide whether to re-evaluate and re-approve it or not in light of the actual situation.

Article 32 The constructor or user of a secret-involved information system shall, in accordance with the Good Practice for the Hierarchical Protection of Information Systems Involving State Secrets (the state secrecy standards BMB20-2007), strengthen the secrecy administration in the operation of the information system and make risk assessment on a regular basis to eliminate any hidden danger or loophole that may lead to the leakage of any secret.

Article 33 The state and local secrecy departments at various levels shall supervise and administer the hierarchical protection work of secret-involved information systems carried out at all regions and by all departments and do a good job in the following aspects:1. Guiding, supervising and examining the hierarchical protection work;

2. Guiding the constructor or user of a secret-involving information system to determine the secret degree of the system in a way as required and to reasonably determine the protection grade of the system;

3. Participating in the argumentation of the plan for the hierarchical protection of the system, and guiding its constructor or user to synchronically do a good job in the synchronized planning and design of secrecy facilities;

4. Legally supervising and administering the work conducted by the entities qualified for undertaking the integration work of the system;

5. Strictly carrying out the testing and evaluation and the examination and approval, and supervising and inspecting the implementation of the management systems and technical measures for the hierarchical protection of the system by the constructor or user of the system;

6. Making more efforts in the supervision and examination of the secrecy status in the operation of the system. At least one secrecy examination or system testing shall be conducted every two years for a secret or confidential information system, and every year for a top secret information system; and

7. Getting information about the situation on the management and use of various types of secret-involved information systems, and timely finding out and penalizing various unlawful practices and events divulging secrets.

Chapter V Password Administration in the Hierarchical Protection of Information Security

Article 34 The state cryptography administration shall exercise categorized and graded management over the cryptogram for the hierarchical protection of information security. The criterion on graded protection of the cryptogram for the hierarchical protection of information security shall be determined according to the functions and the degree of importance of the objects under protection in national security, social stability and economic construction, the security protection requirements and the secret degree of the objects, the extent of harm after such objects under protection is damaged and the nature of the departments using cryptogram for the hierarchical protection of information security.Operators and users of information systems shall, when using cryptogram for the hierarchical protection of information security, observe the Administrative Measures for Cryptogram Used for the Hierarchical Protection of Information Security, the Technical Requirements on Using Commercial Cryptography for the Hierarchical Security Protection of Information and other cryptography administrative provisions and the relevant standards.

Article 35 The setting, use and management of cryptogram used for the hierarchical protection of information security shall be in strict line with the relevant state provisions on cryptogram administration.

Article 36 Entities operating or using an information system shall use cryptogrammic technologies to the largest extent to protect the information system. Where an entity intends to use cryptogram to protect information or information systems involving state secrets, it shall obtain the approval of the State Cryptography Administration, and the design, use, operation, maintenance and daily management work shall be conducted in accordance with the relevant state provisions on cryptography administration and the relevant standards. Where an entity intends to use cryptogram to protect information or information systems not involving state secrets, it shall abide by the Regulations on the Administration of Commercial Cryptography, the relevant provisions on using cryptogram for categorized and hierarchical protection and the relevant standards, and report the setting and use of such cryptogram to the State Cryptograph Administration for the record.

Article 37 To use a cryptogrammic technology for the construction or rectification of the hierarchical protection of information systems, an entity shall use cryptogrammic products the use of which has been approved or the sale of which has been permitted by the state cryptography administration. No entity may use cryptogrammic products introduced from overseas or developed by it without permission, or use any imported information technology product with the function of encryption.

Article 38 The testing and evaluation work on cryptogram and cryptogrammic equipment used for protecting information system shall be undertaken by an evaluation agency authorized and admitted by the State Cryptography Administration. No other department, entity or individual may do such work.

Article 39 The cryptography departments at various levels may examine and evaluate the setting, use and management of cryptogram used for the hierarchical protection of information system security on a regular or irregular basis. At least one examination and evaluation shall be conducted every two years on the setting, use and management of cryptogram used for protecting the security of important secret-involving information systems. Where any hidden danger, any violation of the relevant cryptography administrative provisions or the failure to satisfy the relevant requirements on cryptogram administration is found in the examination and evaluation, such situation shall be handled in accordance with the relevant state provisions on cryptography administration.

Chapter VI Legal Liability

Article 40 Where the operator or user of an information system of Grade III or above commits any of the following acts, in violation of these Measures, the public security organ, the state secrecy department and the state cryptography administration shall, according to the division of work among them, order it to correct within a certain time limit, failing which, the operator or user shall be given a warning, the superior department in charge shall be informed of the relevant situation, and the directly liable person in charge and other directly liable persons shall be penalized as advised and the penalty result shall be report in a timely manner:1. Failing to complete the record-filing or examining and approving procedures as required by these Measures;

2. Failing to put the security management system and measures into effect as required by these Measures;

3. Failing to conduct examinations on the security status of the system as required by these Measures;

4. Failing to conduct technical evaluations on the security of the system as required by these Measures;

5. Refusing to rectify after receiving the notice of rectification;

6. Failing to select information security products and the evaluation agencies as required by these Measures;

7. Failing to truthfully provide the relevant documents and supporting materials as required by these Measures;

8. Violating the provisions on secrecy administration;

9. Violating the provisions on cryptogram administration; and

10. Violating other provisions of these Measures.

If any above-listed violation causes a great damage, the department concerned shall penalize it in accordance with the relevant laws and regulations.

Article 41 Where any information security and administration supervision department or any of its staff neglects duties, abuses authority or engages in malpractices for personal gain in performing the supervision and administration duties, an administrative punishment shall be imposed according to law, and if the offence constitutes a crime, criminal liability shall be pursued according to law.

Chapter VII Supplementary Provisions

Article 42 The operator or user of an information system which has been put into operation shall determine the security protection grade of the information system within 180 days since these Measures come into force. As for a newly established information system, its security protection grade shall be determined in the design or concept phase.

Article 43 The term “above” or “more” as mentioned in these Measures shall include the given number (degree).

Article 44 These Measures come into force as of the date of promulgation, simultaneously repealing the Administrative Measures for the Hierarchical Protection of Information Security (for Trial Implementation) (Gong Tong Zi [2006] No. 7).