Keywords:
Classified network security protection for the record
In daily communication, we often connect the grading and filing together, because the two works are very coherent. Therefore, after we have completed the grading of graded protection, we will need to record the graded protection and some matters that need to be paid attention to in the filing process.
In the Measures for the Administration of Graded Protection of Information Security, five prescribed actions are given for graded protection work, and filing is the second prescribed action for carrying out graded protection work.
Among the normative documents of the filing requirements, the Ministry of Public Security of the People's Republic of China, the State Secrets Bureau, the State Cryptography Administration, and the ** Information Work Office jointly issued the Administrative Measures for the Graded Protection of Information Security (Gongtong Zi 2007 No. 43), the Notice on Carrying out the Grading of the Security Graded Protection of National Important Information Systems (Gongxinan 2007 861), and the Notice on Printing and Distributing the Implementation Rules for the Filing of Classified Protection of Information Security issued by the Ministry of Public Security (Gongxinan 2007). No. 1360 and other documents standardize the filing of classified protection.
In Article 15 of the "Measures for the Administration of Classified Protection of Information Security", it clarifies the filing requirements for the second or higher networks, and at the same time requires that within the specified time, the operating and using units shall go through the filing formalities at the public security organ at or above the level of the city divided into districts where they are located, and when going through the filing formalities for the security protection level of the information system, they shall fill in the "Information System Security Graded Protection Filing Form", and Article 16 also clarifies the seven materials that the above information systems should provide at the same time. Article 17 clarifies the public security organs' obligation to review and issue filing certificates for filings, as well as the obligation to inform of problems in grading. After the operating or using units or competent departments re-determine the level of the information system, they shall re-file it with the public security organs in accordance with these Measures. Article 18 is for the public security organs to inspect the information security level protection work of the operating and using units on the basis of the filing situation.
In Article 15, "information systems at level 2 or above that have been in operation (operation) shall, within 30 days of the determination of the level of security protection, be handled by the unit that operates or uses them to the public security organ at or above the districted city level where they are located to go through the filing formalities." "When understanding this article, we should combine the expression of Article 42 of the "Measures for the Administration of Graded Protection of Information Security", which was issued in 2007Units that have already operated and used information systems shall determine the security protection level of information systems within 180 days from the date of implementation of these MeasuresIn legal theory, that is to say, there is no longer an "old system" that has not been classified and filed in the existing network (information system).
The Detailed Rules for the Implementation of the Filing of Classified Protection of Information Security issued by the Ministry of Public Security is a supplement and refinement of the Administrative Measures for the Classified Protection of Information Security in the filing of non-classified information, and the Filing Form for Classified Protection of Information Security (hereinafter referred to as the "Filing Form") and its electronic documents shall be submitted when filing according to the Detailed Rules for the Implementation of the Filing of Classified Protection of Information Security. When filing for information systems above the second level, the table in the Filing Form shall be submitted.
One, two, three;The above information system shall also be submitted within 30 days after the completion of the system rectification and evaluation, Table 4 of the "Filing Form" and its related materials.
That is to say, according to Article 42 of the "Measures for the Administration of Graded Protection of Information Security", "the level of security protection shall be determined in the design and planning stage of a new information system", and the grading work shall be carried out in the planning and design stage, and after the grading is completed, it is necessary to take the initiative to carry out the filing work with the public security organs within the specified time.
In the process of filing, one of the most important documents we need to submit is the "Information System Security Graded Protection Filing Form", which also involves seven supplementary materials. The filing form, which includes two types of systems and systems involving secrets and non-secrets, is given by the "Notice on Carrying out the Work of Grading the Security of Classified Information Systems of National Important Information Systems" jointly issued by the four departments, including the template of the "Grading Report on the Graded Protection of Information System Security", the "Filing Form for Classified Protection of Information System Security", and the "Filing Form for the Graded Protection of Information Systems Involving State Secrets".
The Regulations on Classified Protection of Cybersecurity (Draft for Comments) promulgated in 2018 have made adjustments to the statute of limitations for filing. For example, the Measures for the Administration of Graded Protection of Information Security clearly state that "within 30 days after the operation of a new information system at or above the second level, the unit operating or using it shall go through the filing formalities with the public security organ at or above the districted city level where it is located", while in the Regulations on the Classified Protection of Network Security (Draft for Comments), it is stated that "[Grading and Filing] Network operators above the second level shall file with the public security organ at or above the county level within 10 working days after the security protection level of the network is determined." ”
At the same time, we see that the filing in the Regulations on Classified Protection of Cybersecurity (Draft for Comments) has also been adjusted from "public security organs at or above the municipal level divided into districts" to "public security organs at or above the county level". In particular, in terms of timeliness, with the further deepening of the work of "delegating power, delegating power, delegating power, and providing services", all localities may have shortened the processing time on the basis of the "Measures for the Management of Classified Protection of Information Security".
In general, the grading and filing work is the main body of the responsible unit.
The responsible unit needs to preliminarily draft the network security protection level according to the actual situation of the network planned and designed, follow the "Network Security Graded Protection Grading Guide" and the requirements of industry standards, organize experts to carry out the rating review, adjust and revise the security protection level according to the expert review results, report to the competent department for approval, and then combine the results of the approval of the competent department to finally issue a rating report that meets the requirements. Combined with the grading results, according to the planning and design documents, sort out the basic information required for the filing form, and fill in the filing form as required. In accordance with the specific requirements of the "Detailed Rules for the Implementation of the Filing of Classified Information Security Protection", the filing materials shall be sent to the public security organs, and the public security organs will make the final review.
To obtain the "Information System Security Graded Protection Filing Certificate" issued by the public security organ, the network operator (responsible unit) needs to implement the "synchronous design" according to the final security protection level and the graded protection requirements, and carry out detailed design from the technical and management dimensions in accordance with the relevant national standards for classified security protectionStrictly according to the design plan of the construction, and do a good job in safety construction management, and the construction process found that does not meet the safety protection level of the part, timely rectification and reinforcement, until in line with the requirements of national and industry standards, retain detailed safety construction management process documents, in this process to implement "synchronous construction", the implementation of safety responsibilities, the implementation of safety management measures and technical protection measures. Lay a good foundation for the later evaluation of security level protection.
References:
Cybersecurity MLPS Grading Guide
Cybersecurity Law and the Cybersecurity Graded Protection System
Notice on Carrying Out Work on Grading the Security Graded Protection of National Important Information Systems
Measures for the Management of Classified Protection of Information Security
Detailed rules for the implementation of the filing of classified information security protection
Regulations on Classified Protection of Cybersecurity (Draft for Solicitation of Comments).