A Brief Discussion on the Establishment of Special Security Management Organizations for Operators of Key Information Infrastructure

Laws and regulations/standard specifications

Relevant provisions

Network Security Law

Article 21The state implements a network security level protection system. Network operators shall fulfill the following security protection obligations in accordance with the requirements of the network security level protection system to ensure that the network is not interfered with, damaged, or accessed without authorization, and to prevent the leakage or theft, and tampering of network data:

(I) Formulate internal security management systems and operational procedures, determine the network security person in charge, and implement the responsibility for network security protection;

(II) Adopt technical measures to prevent computer viruses, network attacks, and other behaviors that危害网络安全 that harm network security;

(III) Adopt technical measures for monitoring, recording the status of network operations, and network security incidents, and retain relevant network logs for at least six months in accordance with regulations; (IV) Adopt measures such as data classification, important data backup, and encryption;

(V) Other obligations stipulated by laws and administrative regulations.

Article 25 Network operators shall formulate emergency plans for network security incidents, promptly handle system vulnerabilities, computer viruses, network attacks, and other security risks; when a network security incident occurs, immediately activate the emergency plan, take corresponding remedial measures, and report to the relevant competent authorities in accordance with regulations.

第二十八条Article 28

Network operators shall provide technical support and assistance to public security organs and national security organs for the lawful maintenance of national security and the investigation of crimes.Article 34

In addition to the provisions of Article 21 of this Law, operators of key information infrastructure shall also fulfill the following security protection obligations:

(1) Set up special security management institutions and responsible persons for security management, and conduct security background checks on such responsible persons and personnel in key positions;

(2) Conduct regular network security education, technical training, and skill assessment for personnel;

(3) Carry out disaster recovery backup for important systems and databases;

(4) Formulate emergency plans for network security incidents and conduct drills regularly; (5) Other obligations stipulated by laws and administrative regulations.If the purchase of network products and services by the operators of key information infrastructure may affect national security, they shall go through the national security review organized by the National Internet Information Office together with relevant departments of the State Council.

Article 36When purchasing network products and services, operators of key information infrastructure shall enter into security and confidentiality agreements with providers in accordance with regulations, clearly defining security and confidentiality obligations and responsibilities.

Article 37Personal information and important data collected and generated by the operators of key information infrastructure within the territory of the People's Republic of China shall be stored within the territory. If it is necessary to provide it to overseas due to business needs, it shall be subject to a security assessment in accordance with the methods formulated by the National Internet Information Office together with relevant departments of the State Council; if there are other provisions of laws and administrative regulations, they shall be implemented accordingly.

Article 38Operators of key information infrastructure shall conduct self-inspection or entrust network security service institutions to conduct annual security and risk assessment of their networks at least once, and report the situation of inspection and assessment and improvement measures to relevant departments responsible for the security protection of key information infrastructure.

Article 40Network operators shall strictly keep the collected user information confidential and establish and improve the user information protection system.

Article 41Network operators collecting and using personal information shall follow the principles of legality, legitimacy, and necessity, publicly disclose collection and use rules, explicitly state the purposes, methods, and scope of collection and use of information, and obtain the consent of the collectors. Network operators shall not collect personal information unrelated to the services they provide, shall not collect, use personal information in violation of the provisions of laws and administrative regulations or agreements between both parties, and shall process the personal information they save in accordance with the provisions of laws and administrative regulations and agreements with users.

Article 42Network operators shall not disclose, alter, or damage the personal information they collect; without the consent of the collectors, they shall not provide personal information to others. However, exceptions are made for information that cannot be identified as specific individuals after processing and cannot be restored. Network operators shall take technical measures and other necessary measures to ensure the security of the personal information they collect, prevent information leakage, damage, or loss. In the event of or the possibility of personal information leakage, damage, or loss, immediate remedial measures shall be taken, and users shall be informed in accordance with regulations, and relevant competent departments shall be reported to.

Article 47Network operators shall strengthen the management of information published by their users. Where information prohibited from being published or transmitted by laws and administrative regulations is found, the transmission of such information shall be immediately stopped, and disposal measures such as elimination shall be taken to prevent the spread of information, save relevant records, and report to relevant competent departments.

Article 49Network operators shall establish a system for receiving complaints and reports on network information security, publish information such as complaint and report methods, and promptly receive and handle complaints and reports related to network information security. Network operators shall cooperate with the cybersecurity department and other relevant departments in the legal supervision and inspection they carry out.

Article 55In the event of a cybersecurity incident, the emergency plan for cybersecurity incidents shall be immediately initiated to investigate and evaluate the cybersecurity incident, require network operators to take technical measures and other necessary measures to eliminate potential hazards, prevent the expansion of harm, and timely release public warnings related to the public.

Article 56When the departments of the people's governments at or above the provincial level find that there are significant security risks in the network or that security incidents have occurred during the performance of their cybersecurity supervision and management duties, they may, in accordance with the prescribed authorities and procedures, engage in talks with the legal representatives or major responsible persons of the operators of the network. Network operators shall take the required measures, carry out rectification, and eliminate risks.

The Cryptography Law of the People's Republic of China

Article 14National secrets information transmitted in wired and wireless communications, as well as information systems for storing and processing national secrets information, shall be encrypted and protected and undergo secure authentication using core passwords and common passwords in accordance with laws, administrative regulations, and relevant national provisions.

Article 27For key information infrastructure that requires the use of commercial cryptography for protection according to laws, administrative regulations, and relevant national provisions, the operators shall use commercial cryptography for protection and conduct self-assessment or entrust commercial cryptography testing institutions to carry out safety assessments of commercial cryptography applications. The safety assessment of commercial cryptography applications shall be connected with the safety detection and evaluation of key information infrastructure and the cybersecurity level assessment system to avoid repeated assessment and evaluation. Where the acquisition of network products and services involving commercial cryptography by the operators of key information infrastructure may affect national security, it shall be subject to national security review organized by the national Internet information department in conjunction with the national cryptography management department and other relevant departments in accordance with the provisions of the Cybersecurity Law of the People's Republic of China.

The Data Security Law of the People's Republic of China

Article 27: The conduct of data processing activities shall be in accordance with the provisions of laws and regulations, establish and improve the full-process data security management system, organize data security training and education, adopt corresponding technical measures and other necessary measures to ensure data security. Data processing activities carried out through the Internet and other information networks shall fulfill the above obligations for data security protection on the basis of the cybersecurity level protection system.

The processors of important data shall clearly define the person in charge of data security and the management organization, and implement the responsibility for data security protection.

Article 30 The processors of important data shall regularly carry out risk assessments of their data processing activities in accordance with the regulations and submit risk assessment reports to the relevant competent departments.

The risk assessment report shall include the types and quantities of important data processed, the situation of data processing activities, the data security risks faced and their countermeasures, etc.

Article 31 The security management of the export of important data collected and generated during the operation of key information infrastructure within the territory of the People's Republic of China shall apply the provisions of the Cybersecurity Law of the People's Republic of China; the security management measures for the export of important data collected and generated during the operation within the territory of the People's Republic of China by other data processors shall be formulated by the national cyber information department in conjunction with relevant ministries and departments of the State Council.

Personal Information Protection Law of the People's Republic of China

Article 40 The operators of key information infrastructure and personal information processors who process personal information in accordance with the number specified by the national cyber information department shall store the personal information collected and generated within the territory of the People's Republic of China. If it is necessary to provide it overseas, it shall go through a security assessment organized by the national cyber information department; if it is stipulated by laws, administrative regulations, and the national cyber information department that a security assessment does not need to be conducted, it shall follow the relevant provisions.

Regulations on the Security Protection of Key Information Infrastructure

Article 4 The security protection of key information infrastructure adheres to comprehensive coordination, division of responsibility, legal protection, strengthens and implements the main responsibility of the operator of key information infrastructure (hereinafter referred to as the operator), gives full play to the role of the government and all sectors of society, and jointly protect the security of key information infrastructure.

Article 6 In accordance with the provisions of these regulations, relevant laws, administrative regulations, and mandatory requirements of national standards, the operator shall, on the basis of network security level protection, adopt technical protection measures and other necessary measures to respond to network security incidents, prevent network attacks and illegal and criminal activities, ensure the safe and stable operation of key information infrastructure, and maintain the integrity, confidentiality, and availability of data.

Article 11 If there are significant changes in the key information infrastructure that may affect the identification results, the operator shall promptly report the relevant circumstances to the protection work department. The protection work department shall complete the re-identification within 3 months from the date of receiving the report, notify the operator of the identification results, and inform the Ministry of Public Security of the State Council.

Article 12Security protection measures shall be planned, constructed, and used in sync with the key information infrastructure.

Article 13The operator shall establish and improve the network security protection system and responsibility system, and ensure the investment of human, financial, and material resources. The main person in charge of the operator is responsible for the overall security protection of key information infrastructure, leading the work of security protection and major network security incidents, and organizing the study and resolution of major network security issues.

Article 14　The operator shall establish a special security management institution and conduct security background checks on the responsible persons of the special security management institution and key position personnel. During the review, the public security organs and national security organs shall provide assistance.

Article 15: The specific security management institutions of the unit are responsible for the security protection of key information infrastructure within the unit, and shall perform the following duties:

(One) Establish and improve network security management, evaluation and assessment systems, and formulate security protection plans for key information infrastructure.

(Two) Organize and promote the construction of network security protection capabilities, carry out network security monitoring, detection, and risk assessment;

(Three) Develop emergency plans for the unit in accordance with national and industry network security incident emergency response plans, regularly carry out emergency drills, and deal with network security incidents;

(Four) Identify key positions in network security, organize and carry out network security work assessment, and put forward suggestions for rewards and penalties;

(Five) Organize network security education and training;

(Six) Fulfill personal information and data security protection responsibilities, establish and improve personal information and data security protection systems;

(Seven) Implement security management for services such as design, construction, operation, and maintenance of key information infrastructure;

(Eight) Report network security incidents and important matters in accordance with regulations.

Article 16: Operators shall ensure the operation expenses of special security management institutions, equip them with corresponding personnel, and involve personnel from special security management institutions in decisions related to network security and informationization.

Article 17: Operators shall carry out network security detection and risk assessment at least once a year on key information infrastructure by themselves or by entrusting network security service institutions, promptly rectify any security issues found, and report the situation in accordance with the requirements of the protection work department.

Article 18: When a major network security incident occurs or a major network security threat is discovered, the operator shall report to the protection work department and public security organs in accordance with relevant regulations.

When there is a major network security incident such as the overall interruption of operation or major functional failure of key information infrastructure, leakage of national basic information and other important data, large-scale personal information leakage, significant economic losses, and the large-scale spread of illegal information, or when a major network security threat is discovered, the protection work department shall report to the national cyber information department and the Ministry of Public Security of the State Council in a timely manner after receiving the report.

Article 19: Operators shall prioritize the procurement of secure and reliable network products and services; for network products and services that may affect national security, safety review shall be conducted in accordance with national network security regulations.

Article 20: When purchasing network products and services, operators shall enter into security confidentiality agreements with providers in accordance with national regulations, clarify the technical support, security confidentiality obligations, and responsibilities of the providers, and supervise the performance of obligations and responsibilities.

Article 21: If an operator undergoes mergers, divisions, dissolution, and other situations, it shall report to the protection work department in a timely manner and dispose of key information infrastructure in accordance with the requirements of the protection work department to ensure safety.

Regulations for Network Security Level Protection (Draft for Comments)

Article 6Network operators shall carry out activities such as network level classification and filing, safety construction rectification, level assessment, and self-inspection in accordance with the law, adopt management and technical measures to ensure the safety of network infrastructure, network operation, data, and information security, effectively respond to network security incidents, and prevent network criminal activities.

Article 20Network operators shall legally fulfill the following cybersecurity protection obligations to ensure network and information security:

(One) Determine the person responsible for cybersecurity level protection work, establish a responsibility system for cybersecurity level protection work, and implement the system of responsibility pursuit;

(Two) Establish security management and technical protection systems, establish systems for personnel management, education and training, system security construction, and system security operation and maintenance;

(Three) Implement systems for facility security management, equipment and medium security management, and network security management, and formulate operational specifications and work procedures;

(Four) Implement management and technical measures for identity recognition, prevention of malicious code infection and spread, and prevention of network intrusion attacks;

(Five) Implement management and technical measures for monitoring, recording network operation status, cybersecurity incidents, and illegal activities, and retain relevant network logs that can be traced back to network illegal activities for more than six months as prescribed;

(Six) Implement measures for data classification, important data backup, and encryption;

(Seven) Legally collect, use, and process personal information, and implement personal information protection measures to prevent the leakage, damage, tampering, theft, loss, and abuse of personal information; (Eight) Implement measures for the discovery, blocking, and elimination of illegal information, and implement measures to prevent the large-scale spread of illegal information and the loss of evidence of illegal activities;

(Nine) Implement the responsibilities of network connection registration and user real-name verification, etc;

(Ten) For incidents occurring in the network, a report shall be submitted to the local public security organs within 24 hours; for the disclosure of state secrets, a report shall also be submitted to the local administrative department in charge of secrecy protection at the same time.

(Eleven) Other cybersecurity protection obligations stipulated by laws and administrative regulations.

Article 21In addition to fulfilling the cybersecurity protection obligations stipulated in Article 20 of these Regulations, operators of networks at the third level and above shall also fulfill the following cybersecurity protection obligations:

(One) Determine the cybersecurity management organization, clarify the responsibilities of cybersecurity level protection, and establish a hierarchical approval system for matters such as network changes, network access, operation and maintenance, and technical support unit changes;

(Two) Formulate and implement a comprehensive cybersecurity plan and overall security protection strategy, formulate a safety construction plan, and have it reviewed and approved by professional technical personnel;

(Three) Conduct security background checks for cybersecurity management personnel and key position personnel, and implement the system of certified employment;

(Four) Conduct security management for institutions and personnel that provide network design, construction, operation and maintenance, and technical services;

(Five) Implement cybersecurity situation awareness monitoring and early warning measures, build a cybersecurity protection management platform, conduct dynamic monitoring and analysis of network operation status, network traffic, user behavior, and cybersecurity incidents, and connect with同级 public security organs;

(Six) Implement redundancy, backup, and recovery measures for important network equipment, communication links, and systems;

(Seven) Establish a cybersecurity level assessment system, carry out level assessments regularly, and report the assessment results and safety rectification measures, as well as the rectification results, to public security organs and relevant departments;

(Eight) Other cybersecurity protection obligations stipulated by laws and administrative regulations.

Article 50Above-county-level public security organs shall supervise and inspect the following situations of network security work carried out by network operators:

(I) Daily network security prevention work;

(II) Rectification of major network security risk隐患; (III) Emergency response and recovery work for major network security incidents;

(IV) Implementation of network security protection work for major activities;

(V) Other situations of network security protection work. Public security organs shall carry out at least one security check annually on network operators of the third level and above. Where relevant industries are involved, security checks may be conducted together with the competent industry departments. Where necessary, public security organs may entrust social forces to provide technical support. Network operators shall assist and cooperate, and provide relevant data and information as required by public security organs.

Article 55Public security organs shall deal with network security incidents in accordance with relevant regulations, carry out incident investigations, determine the responsibilities of the incidents, and investigate and deal with criminal activities that危害 network security. Where necessary, network operators may be ordered to take emergency measures such as blocking information transmission, suspending network operations, and backing up relevant data. Network operators shall cooperate and support public security organs and other departments in investigating and dealing with incidents.

Article 61Network operators and technical support units shall provide support and assistance to public security organs and national security organs for the law enforcement activities of maintaining national security and investigating crimes.

Basic Requirements for Network Security Level Protection of Information Security Technology (GB/T 22239-2019)

Taking the level protection level three as an example

8.1.7 Security Management Organization

8.1.7.1 Position Setting

This requirement includes:

a) A committee or leading group for guiding and managing network security work should be established, with the highest leader appointed or authorized by the unit's main leader;

b) A functional department for network security management should be established, and positions such as security directors and responsible persons for various aspects of security management should be established, and the responsibilities of each responsible person should be defined;

c) Positions such as system administrators, audit administrators, and security administrators should be established, and the responsibilities of each department and position should be defined.

8.1.7.2 Personnel Allocation

This requirement includes:

a) A certain number of system administrators, audit administrators, and security administrators should be appointed;

b) A full-time security administrator should be appointed and should not be concurrently held in another position.

8.1.7.3 Authorization and Approval

This requirement includes:

a) Authorization and approval matters, departments, and approvers should be clearly defined according to the responsibilities of each department and position;

b) Approval procedures should be established for matters such as system changes, important operations, physical access, and system access, and the approval process should be executed according to the established procedures, and a hierarchical approval system should be established for important activities;

c) It should regularly review and approve matters, and timely update the information of projects, departments, and individuals requiring authorization and approval.

8.1.7.4 Communication and Cooperation

This requirement includes:

a) It is necessary to strengthen cooperation and communication among various management personnel, internal organizations, and network security management departments, hold regular coordination meetings, and collaborate to handle network security issues together;

b) Strengthen cooperation and communication with cyber security functional departments, various suppliers, industry experts, and security organizations;

c) A list of affiliated units should be established, including the name of the affiliated unit, cooperation content, contact person, and contact information, and the like.

8.1.7.5 Audit and Inspection

This requirement includes:

a) Regular routine security inspections should be conducted, including daily operation of the system, system vulnerabilities, and data backup, and the like;

b) Regular comprehensive security inspections should be conducted, including the effectiveness of existing security technology measures, consistency of security configuration and security policies, and implementation of security management systems;

c) A security inspection form should be developed to implement security inspections, summarize security inspection data, form a security inspection report, and report the results of the security inspection.

8.1.8 Security Management Personnel

8. 1.8. 1 Personnel Recruitment

This requirement includes:

a) A designated department or personnel should be designated or authorized to be responsible for personnel recruitment;

b) The identity, security background, professional qualifications or qualifications of the newly employed personnel should be reviewed, and their technical skills should be assessed;

c) A confidentiality agreement should be signed with the newly employed personnel, and a job responsibility agreement should be signed with key position personnel.

8.1.8.2 Personnel Off-Duty

This requirement includes:

a) All access rights of off-duty personnel should be terminated in a timely manner, and various identity documents, keys, badges, and other soft and hardware provided by the organization should be collected back;

and equipment;

b) Strict transfer procedures should be followed, and a confidentiality obligation after transfer should be promised before leaving.

8.1.8.3 Security Awareness Education and Training

This requirement includes:

a) Security awareness education and job skill training should be provided for all types of personnel, and relevant security responsibilities and disciplinary measures should be informed;

b) Different training programs should be developed for different positions, including training on security basics, job operation procedures, and the like;

c) Skills assessment should be conducted regularly for personnel in different positions.

8.1.8.4 External Personnel Access Management

This requirement includes:

a) A written application should be submitted before external personnel physically access the controlled area, and after approval, a designated person should accompany them throughout the process and register and file a record;

b) A written application should be submitted before external personnel access the controlled network access system, and after approval, an account should be opened and permissions allocated by a designated person.

and register and file a record;

c) After external personnel leave the scene, their access rights should be cleared in a timely manner;

d) External personnel who obtain system access authorization shall sign a confidentiality agreement and shall not perform unauthorized operations, nor copy or leak any sensitive information.

《Information Security Technology Security Protection Requirements for Key Information Infrastructure (Draft for Review)

6.3 Security Management Organization

a) The operator shall establish a committee or leading group for guiding and managing cyber security work, led by the main responsible person of the organization, set up a special cyber security management organization (hereinafter referred to as 'security management organization'), clarify the person in charge and the post, establish and implement cyber security assessment and supervision and accountability mechanisms.

b) The main personnel of the safety management organization should participate in the informationization decision-making of this organization.

c) Relevant personnel of the safety management organization should participate in national, industry, or industry cyber security related activities, obtain cyber security dynamics in a timely manner, and convey them to relevant departments and personnel.

6.4 Security personnel

The operator should:

a) Conduct security background checks and security skill assessments for the heads of safety management organizations and key position personnel, and only those who meet the requirements can take up their positions. Key positions include system management, network management, and safety management positions directly related to key business systems. Key positions should be managed by special personnel and be equipped with management by two or more people.

b) Establish a network security training and education system, regularly carry out post-based network security training and skill assessment, and stipulate the appropriate annual training duration for key information infrastructure personnel and network security key position personnel. The content of training and education should include relevant systems and regulations of network security, network security protection technology, and network security risk awareness.

c) Conduct a security background check for personnel before they take up their positions, and when necessary or when the identity or security background of personnel changes (for example, obtaining non-Chinese nationality), a re-examination of the security background should be conducted according to the situation. When personnel change internal positions, the logical and physical access permissions of the transferred personnel to the key information infrastructure should be reassessed, the access permissions should be modified, and relevant personnel or roles should be notified. When personnel leave their positions, all access permissions of the leaving personnel should be terminated in a timely manner, the hardware and software equipment related to identity authentication should be收回, and a departure interview should be conducted and relevant personnel or roles should be notified.

d) Clarify the security and confidentiality responsibilities and obligations of staff, including security responsibilities, reward and punishment mechanisms, and confidentiality periods after leaving office. If necessary, sign a security and confidentiality agreement.

Secret laws and administrative regulations, the security protection laws and regulations of military networks, relevant regulations of this industry and unit, responsibilities and businesses proposed by the operator itself, etc.