On June 27, 2018, the Ministry of Public Security officially released the Regulations on Network Security Level Protection (Draft for Comments) (hereinafter referred to as the "Regulations on Equal Protection"), marking that Article 21 of the Network Security Law (hereinafter referred to as the "Network Security Law") (hereinafter referred to as the "Network Security Law") established by Article 21 of the Network Security Law (hereinafter referred to as the "Network Security Law"), there is a concrete basis for the implementation of the network security level protection system and a powerful grasp. The Regulations on Equal Protection*** contains eight chapters and 73 articles, including the General Provisions, Support and Guarantee, Security Protection of Networks, Security Protection of Classified Networks, Password Management, Supervision and Administration, Legal Liability and Supplementary Provisions. Compared with the level protection 1.0 system established in the Administrative Measures for Information Security Level Protection (hereinafter referred to as "Administrative Measures") implemented in 2007, the Regulations on Equal Protection have been updated and improved in various aspects such as national support, classification filing, password management, etc., and adapted to the new situation and changes in the current stage of network security and the development of new technologies and applications, marking the level of protection officially entered the 2.0 era.

Specific provisions of the Regulations on Equal Protection

The Administrative Measures were issued by the Ministry of Public Security, the State Secrets Bureau, the State Cryptography Administration, and the Information Work Office of the State Council*** together as the core provisions of the Equal Protection 1.0 system, and their legal effect is that they are departmental normative documents. In addition, according to Article 1 of the Administrative Measures, the basis for its development is the State Council administrative regulations "Regulations on the Security and Protection of Computer Information Systems".

The Regulations on the Protection of Computer Information Systems are still in the stage of solicitation of opinions, according to Article 5 of the Regulations on the Procedures for the Formulation of Administrative Laws and Regulations, the names of administrative laws and regulations are generally referred to as "regulations", and the regulations formulated by the departments of the State Council and the local people's governments are not allowed to be referred to as "regulations". Therefore, the Equalization Regulations should fall under the category of administrative regulations. In addition, Article 1 of the Equal Protection Regulations stipulates that the basis for its enactment is the Network Security Law and the Law on the Preservation of State Secrets.

In summary, the Administrative Measures are departmental normative documents formulated in accordance with administrative regulations, while the Equal Protection Regulations are administrative regulations formulated in accordance with national laws.

Scope of application of hierarchical protection

The Equal Protection Regulations provide in general terms for the scope of application of the Equal Protection Measures. Protection Regulations stipulate in general terms that it applies to network operators to construct, operate, maintain, and use networks, carry out network security level protection, and supervise and manage networks within China, with the exception of networks built and used by individuals and families, which is more abbreviated.On January 19, 2018, the National Information Security Standardization Technical Committee released the "Guide for Grading Information Security Technology Network Security Level Protection 2.0 (Exposure Draft) (hereinafter referred to as "Classification Guide 2.0"), which provides guidelines for the specific application of equal protection.

In the Equal Protection 1.0 system, the Administrative Measures explicitly mention in Article 10 that information system operators and users should determine the security protection level of the information system in accordance with these Measures and the Information System Security Level Protection Grading Guidelines (hereinafter referred to as "Grading Guidelines 1.0"). Therefore, the introduction of the "Classification Guide 2.0" largely benefited from the existing provisions of the "Classification Guide 1.0".

Compared with "Grading Guide 1.0", which defines the object of level protection in general terms as the specific information and information systems that are directly affected by the information security level protection work, "Grading Guide 2.0" refines the specific scope of the object of grading of the network security level protection system, which mainly includes the basic information network, the industrial control system, the cloud computing platform, the Internet of Things, and the network that uses the mobile interconnection technology, Other networks and big data and other system platforms. In addition, the network as the object of classification should also meet three basic characteristics: first, with the main security responsibility for the main body; second, to carry relatively independent business applications; third, contains a number of interrelated resources

According to the "Classification Guidelines 2.0", the classification object to meet the above basic characteristics still need to follow the relevant requirements. For basic information networks such as telecommunication networks, broadcasting and television transmission networks and the Internet, they should be divided into different classification objects based on factors such as service type, service area and security responsibility subject, etc., while the inter-provincial business network can be classified either as a whole or as a number of objects based on the regional classification. For industrial control systems, elements such as site acquisition/execution, site control and process control should be graded as a whole object, while production management elements can be graded separately. For cloud computing platforms, they should be differentiated into service providers and tenants, each of which should be graded as a separate object. For IoT, although it includes a variety of characteristic factors such as sensing, network transmission and processing applications, the above elements should still be graded as a whole object, and each element is not graded separately. The network using mobile interconnection technology is similar to the Internet of Things, and the elements of mobile terminals, mobile applications, wireless networks and related wired network business systems should be graded as a whole object. For big data, in addition to the platform and application with the same security responsibility subject can be graded as a whole, should be graded separately.

Network level

The Equal Protection Regulations succeeded the five-level security protection level system established by the Administrative Measures, but further strengthened the protection of the legitimate rights and interests of citizens, legal persons and other organizations. The Administrative Measures do not stipulate in the main text how an information system should be graded when it will cause particularly serious damage to the lawful rights and interests of citizens, legal persons and other organizations when it suffers damage, and the Grading Guidelines 1.0 only shows that the said information system should be classified as the second level in the table on the relationship between the graded elements and the security level after that, whereas the Equal Protection Regulation has been modified accordingly when the object of protection of the level is damaged to cause particularly serious damage to the lawful rights and interests of citizens, legal persons and other organizations. When the damage to the object of protection is particularly serious to the legitimate rights and interests of citizens, legal persons and other organizations, the corresponding system shall be classified as the third level of protection. Please refer to the following table for the specific classification:

Network Security Protection Obligations

Article 5 of the Administrative Measures stipulates that the operation and use of information systems shall fulfill the obligations and responsibilities of information security level protection in accordance with the Measures and its relevant standards, but does not specify the corresponding obligations. As a complementary law to the Net Security Law, the Regulations on Equal Protection follow the existing provisions of the Net Security Law, and provide detailed provisions on the general and special security protection obligations of network operators, the procurement of network products and services, and the development of emergency response plans.

For security protection obligations, in addition to the content of Article 21 of the "Network Security Law" has been clear, the general network operators should also: First, the establishment of security management and technical protection system, the establishment of personnel management, education and training, system security construction, system security operation and maintenance system; Second, the implementation of the server room security management, equipment and media security management, network security management system, the development of operational specifications and workflow; Third, in the case of a security management, equipment and media security management, network security management system, the development of operating standards and workflow; three, in the collection and use and handling of personal information to take protective measures to prevent its leakage, destruction, tampering, theft, loss and abuse; four, the implementation of illegal information discovery, blocking, elimination and other measures, the implementation of measures to prevent the mass dissemination of illegal information and evidence of illegal and criminal evidence of the loss of the Loss of evidence. In addition to the above obligations, network operators above the third level should also focus on the implementation of network security management personnel, key positions and technical staff of the security background checks and licensing system, while regularly carrying out level assessment work.

For the procurement of network products and services, network operators should procure and use network products and services that meet the requirements of national laws and regulations and relevant standards and norms, and network operators above the third level should adopt network products and services appropriate to their security protection level, and they should also entrust professional evaluation organizations to carry out special tests on network products used in important parts.

June 1, 2017 The "Product Catalog of Network Critical Equipment and Specialized Products for Network Security (First Batch)" which took effect on June 1, 2017 and the "Directory of Institutions Undertaking Security Certification and Security Testing Tasks for Network Critical Equipment and Specialized Products for Network Security (First Batch)" issued by CNCA and other four departments on March 15, 2018 provide detailed regulations on the requirements for network products used by network operators, and therefore it is recommended that network operators should, when purchasing network Therefore, it is recommended that network operators, when purchasing network products and services, require suppliers to provide security certification or testing certificates issued by professional organizations in order to reduce operational legal risks.

For the formulation of emergency response plans, operators of networks above the third level should formulate network security emergency response plans in accordance with the relevant state regulations, and regularly conduct network security emergency response drills. In addition to recording and retaining event data and information in a timely manner, and reporting to public security organs and industry authorities, network operators should also provide support and assistance for the disposal and recovery of major network security incidents. According to the Ministry of Industry and Information Technology's Emergency Response Plan for Public **** Internet Network Security Emergencies, when reporting information on a network security incident, it should also state the time of the incident, the scope of the impact and hazards of the preliminary judgment, the emergency response measures that have been taken, and the relevant recommendations.

Network Security Protection Requirements

In recent years, with the rapid development of artificial intelligence, big data, the Internet of Things, cloud computing, etc., the rapid changes in security trends and situations, the 2008 release of "GB/T22239-2008 Information Security Technology Basic Requirements for the Security Level Protection of Information Systems" (referred to as iso-protection 1.0) is no longer applicable to the current security requirements . Starting in 2015, the security requirements for level protection gradually began to formulate the 2.0 standard, including five parts: security general requirements, cloud computing security extension requirements, mobile Internet security extension requirements, Internet of Things security extension requirements, and industrial control security extension requirements.In August 2017, the Assessment Center of the Ministry of Public Security, in accordance with the opinions of the Office of Net Information and the Security Standard Committee, combined the five basic requirements fascicles for the level protection under preparation The standard was merged to form one standard, "Basic Requirements for Network Security Level Protection". Equal protection 1.0 standard is more focused on the requirements for protection, and equal protection 2.0 standard more adaptable to the development of the current network security situation, combined with the "Network Security Law" for continuous monitoring, threat intelligence, rapid response class requirements put forward specific landing measures.