This article introduces the internal relationship between the classified network security protection system, the critical information infrastructure security protection system, and the data security protection system. In the process of cyber security protection, personal information is included in the scope of data security protection, so only the relationship between the above three systems is introduced here.
1. The graded network security protection system is the foundation, and the critical information infrastructure security protection system and data security protection system are the focus
Article 21 of the Cybersecurity Law stipulates that the State implements a graded cybersecurity protection system, which is the basic system, basic national policy and basic method of cybersecurity, and the foundation of network and data securityArticle 31 of the Cybersecurity Law and Article 6 of the Regulations on the Security Protection of Critical Information Infrastructure stipulate that critical information infrastructure shall be protected on the basis of the graded network security protection systemArticle 27 of the Data Security Law stipulates that the use of the Internet and other information networks to carry out data processing activities shall be based on the classified network security protection system and the obligation to protect data security.
The Regulations on the Security Protection of Critical Information Infrastructure and the Data Security Law extend the classified cybersecurity protection system to the field of critical information infrastructure security protection and data security protection, and take the classified network security protection system as the basis for the two, and the state has determined the relationship between the three systems from the legal level. Therefore, from the policy level and the standard level, the three systems should be effectively connected in accordance with the law.
2. Establish a scientific network security system
The network security system is shown in the figure. In order to establish a scientific network security system, first, from the vertical perspective in the figure, the establishment of each system needs to be coordinated in three aspects: laws, policies, and standardsSecond, from the horizontal perspective in the figure, the network security graded protection system, the critical information infrastructure security protection system and the data security protection system need to be coordinated and consistent in terms of laws, policies, and standards respectively.
Illustration: The interrelationship between the three systems.
1.Establish a scientific graded network security protection system
China has established a relatively complete and scientific graded network security protection system that is coordinated in terms of laws, policies, and standards. First, the Cybersecurity Law and other laws and regulations clearly stipulate the graded cybersecurity protection systemSecond, in accordance with the provisions of the law, the Ministry of Public Security has issued a series of policy documents on classified cybersecurity protection that are organically connected with laws and regulations, such as the Guiding Opinions on Implementing the Classified Cybersecurity Protection System and the Critical Information Infrastructure Security Protection System (Gongwangan 2020 No. 1960) and the Guiding Opinions on Implementing Key Measures for Cybersecurity Protection and In-depth Implementation of the Classified Cybersecurity Protection System (Gongwangan 2022 No. 1058).Third, under the guidance of laws and policies, the state has issued national standards and industry standards that are organically connected with laws and policies, such as the Guidelines for the Grading of Classified Cyber Security Protection, the Basic Requirements for Classified Cyber Security Protection, the Evaluation Requirements for Classified Cyber Security, the Technical Requirements for Security Design of Classified Cyber Security Protection, and the Implementation Guide for Classified Cyber Security Protection. As a result, the state has established a scientific system of graded protection for network security.
2.Establish a scientific security protection system for critical information infrastructure
Critical information infrastructure is the top priority of network security protection, and the establishment of a scientific critical information infrastructure security protection system is one of the important tasks in the field of network security. At the national level, the first is the promulgation of the Regulations on the Security Protection of Critical Information InfrastructureSecond, the Ministry of Public Security has also issued relevant policy documents, and the Ministry of Public Security has also issued policy documents on strengthening the security protection of critical information infrastructureThird, the national standard of "Requirements for the Security Protection of Critical Information Infrastructure" has been promulgated. However, a standard system for the security protection of critical information infrastructure has not yet been established. Therefore, it is necessary to speed up the formulation of national standards and industry standards that are in line with laws and policies, and form a coordinated critical information infrastructure security protection system in terms of laws, policies, and standards.
3.Establish a scientific data security protection system
Important data is also the top priority of network security protection, and the establishment of a scientific data security protection system is also one of the important tasks in the field of network security. The state has promulgated the Data Security Law and* issued policy documents on strengthening data security protection, but important national data security standards have not yet been issued. Therefore, it is necessary to establish a data security standard system that is in line with laws and policies, and accelerate the establishment of a scientific data security protection system. III. Establish a scientific network security system from the three levels of laws, policies, and standards
1.The three systems are organically connected and coordinated at the legal level. The law clarifies the relationship between the three systems, that is, the network security graded protection system is the foundation, and the critical information infrastructure security protection system and the data security protection system are implemented on the basis of the network security graded protection system. The law clarifies the relationship between the three systems, which is convenient for the whole society to abide by and implement. 2.At the policy level, the three systems need to be organically connected and coordinated. Since the laws and regulations clearly stipulate the relationship between the three systems, the policy must be coordinated and organically connected in accordance with the requirements of the law. First, the critical information infrastructure security protection policy, data security protection policy and network security graded protection policy issued by the state have been organically connectedSecond, the critical information infrastructure security protection policy issued by the Ministry of Public Security is organically connected with the network security protection policy. The issuance of data security protection policy documents should also be organically connected and coordinated with the classified network security protection policies.
3.The three systems need to be organically connected and coordinated at the standard level. Since the law and policy have made clear provisions on the relationship between the three systems, the three systems must be coordinated and organically connected in accordance with the requirements of laws and policies in terms of standards. First, a series of standards such as the "Guidelines for the Grading of Classified Cyber Security Protection", "Basic Requirements for Classified Cyber Security Protection", "Evaluation Requirements for Classified Cyber Security", "Technical Requirements for Security Design of Classified Cyber Security" and "Implementation Guide for Classified Cyber Security" issued by the state are scientific and systematic, and have been proven to be scientific and practical after years of testing and practice. Second, in terms of critical information infrastructure security protection, after the promulgation of the "Regulations on the Security Protection of Critical Information Infrastructure", only one national standard "Requirements for the Security Protection of Critical Information Infrastructure" has been promulgatedAfter the promulgation of the Data Security Law, the national standards for data security protection have not yet been promulgated, and the standards of these two systems need to be organically connected, coordinated and scientifically formulated with the standards for classified protection of network security, so as to establish and implement the three important systems of network security stipulated by the law.
IV. Coordinate the implementation of the tiered network security protection system and the critical information infrastructure security protection system
The multi-level network security protection system and the critical information infrastructure security protection system are the basic and important systems determined by the Cybersecurity Law and the Regulations on the Security Protection of Critical Information Infrastructure, and the two are closely related, and how to ensure the scientific and coordinated implementation of these two systems is very important. To this end, it is necessary to thoroughly implement the graded network security protection system, establish a good network security protection ecology, establish and implement a critical information infrastructure security protection system, highlight the key points of protection, and vigorously strengthen the security of critical information infrastructure. Protect and safeguard, improve and improve the national comprehensive network security prevention and control system, effectively prevent network security threats, effectively respond to cyber warfare threats, effectively handle network security incidents, severely crack down on illegal and criminal activities that endanger network security, and effectively protect national cyberspace sovereignty and social public interests.
1.The legal relationship between the classified network security protection system and the critical information infrastructure security protection system
The Cybersecurity Law stipulates that the state implements a graded cybersecurity protection system, and critical information infrastructure implements key protection on the basis of the graded cybersecurity protection system. The law stipulates that classified network security protection is the foundation of critical information infrastructure security protection, and carrying out network security classified protection is the premise and important guarantee for carrying out critical information infrastructure security protection work.
2.The implementation of the graded network security protection system and the critical information infrastructure security protection system should adhere to coordination and consistency
The state has basically established a system of graded cybersecurity protection, including an organizational leadership system, a legal system, a policy system, a standard system, a technical support system, a protection system, a talent team system, an education and training system, and a guarantee system, and the graded cybersecurity protection system has been further implemented. The critical information infrastructure security protection system is a new system for national network security work, and a critical information infrastructure security protection system is established, including a legal system, a policy system, a standard system, a protection system, a security system and a guarantee system, so as to ensure that the critical information infrastructure security protection system is implemented. In the process of implementing the graded network security protection system and the critical information infrastructure security protection system, the two systems should be coordinated and organically connected in terms of formulating and promulgating laws, regulations, and policies, researching and formulating standards, and taking important measures, so as to reflect the positioning and requirements of the law for the two systems.
3.The implementation of the graded network security protection system and the critical information infrastructure security protection system have different priorities
The graded network security protection system is the basic system and basic national policy of national network security, which is universal and fully covered, and the whole society should carry out network security protection work in accordance with the requirements of the classified network security protection system. At the same time, the classified network security protection system focuses on the protection of the protection objects at different levels, and different levels of protection objects adopt different protection measures and protection intensitiesThe critical information infrastructure security protection system is a key national network security protection system, emphasizing protection, protection and guarantee for the security of critical information infrastructure. In terms of security, it is reflected in the fact that in response to illegal and criminal activities that endanger critical information infrastructure, public security organs, first-class organs and other departments have vigorously carried out investigations and crackdowns, and strengthened the security and protection of critical information infrastructureIn terms of protection, it is reflected in the adoption of advanced technologies and important measures to strengthen and enhance protection of critical information infrastructure on the basis of meeting the basic requirements, baseline requirements and compliance requirements of classified network security protectionIn terms of security, it is reflected in the development and reform, finance, education, establishment, science and technology and other departments, in terms of engineering projects, funding, personnel training, institutional establishment, scientific research and other aspects to provide sufficient guarantees for critical information infrastructure.