中国网络安全等级保护制度理解与实施

●Table of Contents Part  Ⅰ Interpretation of Cybersecurity Classified Protection  System of China  1 Chapter  1 Development of China Cybersecurity Classified Protection System  2 1.1  Establishment of Computer Information Systems Security Protection System  2 1.2  Establishment of Information Security Classified Protection System  3 1.3  Establishment of Cybersecurity Classified Protection System  5 Chapter  2 Interpretation of the Cybersecurity Law  6 2.1  Cybersecurity Obligations and Primary Tasks  6 2.2  Division of Responsibilities and Related Obligations  12 2.3  National Cybersecurity Classified Protection System  14 2.4  Basic Responsibilities and Obligations of Network Operators  15 2.5  Operation Security of Critical Information Infrastructure  19 2.6  Network Data and Information Security  25 2.7  Monitoring, Early Warning, and Emergency Response  28 2.8  Acts Prohibited and Legal Responsibility  32 Chapter  3 Interpretation of Cybersecurity Classified Protection System of China  47 3.1  Policies on Cybersecurity Classified Protection  47 3.1.1  General Policy Documents  47 3.1.2  Policy Document of Classified Protection Specific Stages  48 3.2  Basic Concept of Cybersecurity Classified Protection  50 3.2.1  Legal Basis for Carrying Out Cybersecurity Classified Protection  50 3.2.2  Policy Basis for Carrying Out Cybersecurity Classified Protection  51 3.2.3  What is Cybersecurity Classified Protection  54 3.2.4  Division and Supervision of Security Protection Levels  56 3.2.5  Critical Information Infrastructure Protection  58 3.3  Main Contents of the Cybersecurity Classified Protection System  59 3.3.1  Organization Structure of Cybersecurity Classified Protection  59 3.3.2  Main Stages and Basic Requirements of Classified Protection  61 3.3.3  Security Management of Evaluation  65 3.3.4  Network Products and Security Service Requirements  66 Table  of Contents Interpretation  and Implementation of Cybersecurity Classified Protection System in China viii 3.3.5  Monitoring, Early Warning and Information Reporting  66 3.3.6  Data Security Protection  68 3.3.7  Emergency Disal Requirements  68 3.3.8  Evaluation Requirements  69 3.3.9  Risk Control of New Technology and New Application  69 3.3.10  Supervision and Administration of Cybersecurity Classified Protection Practices  69 Chapter  4 Interpretation of Cybersecurity Classified Protection Standards of China  72 4.1  Cybersecurity Classified Protection Standards Framework  72 4.2  Relationship between Relevant Standards and Different Stages of Classified Protection  73 4.2.1  Basic Standards  73 4.2.2  Classification  73 4.2.3  Security Requirements  74 4.2.4  Methodology and Guidance  75 4.2.5  Status Analysis  7.3  Issues Need Attentions for the Application of Relevant Standards  77 4.4  Brief Description of Main Standards on Cybersecurity Classified Protection  77 4.4.1  Classified Criteria for Security Protection of Computer Information System (GB  17859—1999)  78 4.4.2  Implementation Guide for Classified Protection of Cybersecurity (GB/T 25058—2019)  78 4.4.3  Testing and Evaluation Process Guide for Classified Protection of Cybersecurity (GB/T  28449—2018)  79 Part  Ⅱ Implementation of Cybersecurity Classified Protection System  of China  81 Chapter  5 Classification of Cybersecurity Classified Protection  82 5.1  Classification of Security Protection Levels  82 5.1.1  Principle of Classification  82 5.1.2  Security Protection Levels of Network  82 5.1.3  Classification Factors of Cybersecurity Protection Level  83 5.1.4  Protection and Supervision of the Five Levels  84 5.2  Procedures of Classification  84 5.2.1  Determine the Classification Object  85 5.2.2  Determine the Security Protection Level of Network  87 5.2.3  Expert Reviews of Cybersecurity Protection Level  88 5.2.4  Examination of Cybersecurity Protection Level  88 5.2.5  Public Security Authorities Examine the Security Protection Level of Network  89 Table  of Contents ix 5.3  How to Determine the Security Protection Level of Network  89 5.3.1  How to Understand the Five Security Protection Levels of Network  89 5.3.2  General Process of Network Classification  90 Chapter  6 Registration of Cybersecurity Classified Protection  92 6.1  Registration and Acceptance  92 6.2  Public Security Authorities Accept Network Registration  94 6.3  Treatment for Inaccurate Level and Non-registration  95   Public Security Authorities’ Guidance on Network Classification and Registration  95 Chapter  7 Development and Improvement of Cybersecurity Classified Protection  96 7.1  Objective and Content  96 7.1.1  Objective  96 7.1.2  Scope and Characteristics  96 7.1.3  Contents  97 7.1.4  Cybersecurity Protection Capability Objective  99 7.2  Methods and Processes  101 7.2.1  Methods  101 7.2.2  Processes  102 7.3  Security Management System Development  103 7.3.1  Implementing Cybersecurity Responsibility System  103 7.3.2  Cybersecurity Management Status Analysis  103 7.3.3  Forlating Security Management Strategy and System  104 7.3.4  Conducting Security Management Measures  104 7.3.5  Security Self-Inspection and Adjustment  107 7.4  Security Technology Measures Development  107 7.4.1  Security Protection Technology Status Analysis of Network  107 7.4.2  Designing of Cybersecurity Technology Development and Improvement Plan  108 7.4.3  Implementation and Management of Security Development and Improvement Engineering  110 7.4.4  Elements of Cybersecurity Development and Improvement Plan  111 7.5  Selection and Use of Information Security Products  112 7.5.1  Selecting the Information Security Products Licensed for Sale  112 7.5.2  ltilevel Testing and Use of Products  112 7.5.3  Issues Related to Information Security Products Used in Networks at or Above Level Ⅲ  113 7.5.4  Issues Related to the Commer Cryptography Products Used in Networks at or  above Level Ⅲ  114 7.6  Selecting the Development Service Organization of Cybersecurity Classified Protection  115 Chapter  8 Level Evaluation of Cybersecurity Classified Protection  117 8.1  Overview of Level Evaluation  117 Interpretation  and Implementation of Cybersecurity Classified Protection System in China x 8.1.1  Basic Connotation of Level Evaluation  117 8.1.2  Goals of Level Evaluation  118 8.1.3  When Should We Carry Out Level Evaluation  118 8.1.4  Business Scope of Level Evaluation Organizations  119 8.1.5  Standards of Level Evaluation  119 8.1.6  Development of Level Evaluation Business  120 8.1.7  Notes on the Application of Level Evaluation Standards  123 8.2  Management and Supervision of Level Evaluation Organizations and Personnel  123 8.2.1  Why Need to Develop the Level Evaluation System  123 8.2.2  Management of Evaluation Organizations and Personnel  124 8.2.3  Business Scope and Work Requirements of Evaluation Organizations  125 8.3  Risk Control of Level Evaluation  125 8.3.1  Esting Risks  125 8.3.2  Risk Aversion  126 8.4  Evaluation Reports  127 Chapter  9 Supervision and Inspection of Cybersecurity Classified Protection  128 9.1  Regular Self-Inspection and Supervision  128 9.1.1  Regular Self-inspection of Registration Organizations  128 9.1.2  Supervision and Inspection of Industry Competent Departments  128 9.2  Supervision and Inspection of Public Security Authorities  129 9.2.1  Principles and Methods  129 9.2.2  Main Contents of Inspection  129 9.2.3  Inspection and Improvement Requirements  130 9.2.4  Inspection Requirements  130 9.2.5  Incidents Investigation  131 9.3  Supervision and Management of Network Service Organizations  131 Part  Ⅲ Appendices  133 Appendix  A Cybersecurity Law of the People’s Republic of China  134 Appendix  B The Cryptography Law of the People’s Republic of China  150 Appendix  C Regulations of the People’s Republic of China on the Protection of Computer Information  System Security  159 Appendix  D Administration Measures for Information Security Classified Protection  163 Appendix  E Regulations for the Cybersecurity Classified Protection  176 Appendix  F Specifications on Information Security Classified Protection Inspection of Public  Security Authorities (Trial)  194 Table  of Contents Appendix  G Administration Measures for Cybersecurity Classified Protection Evaluation  Organizations  200 Appendix  H Interpretation of Classification Guide for Classified Protection of Cybersecurity  (GB/T 22240—2020)  211 Appendix  I Interpretation of Baseline for Classified Protection of Cybersecurity (GB/T  22239—2019)  218 Appendix  J Interpretation of Technical Requirements of Security Design for Classified  Protection of Cybersecurity (GB/T 25070—2019)  235 Appendix  K Interpretation of Evaluation Requirement for Classified Protection of Cybersecurity  (GB/T 28448—2019)  259 Glossary  of Classified Protection Terms  265