NOTE: This translation was originally published on the China Copyright and Media blog, a project of DigiChina’s Prof. Rogier Creemers of the University of Leiden. It has not been edited, double-checked, or standardized with DigiChina’s original content. Read more.
Ministry of Industry and Information Technology of the People’s Republic of China
Decree No. 11
The “Telecommunications Cybersecurity Protection Management Rules” were deliberated and passed at the 8th Ministerial Affairs Meeting of the Ministry of Industry and Information Technology of the People’s Republic of China, are hereby promulgated and take effect on 1 March 2010.
Minister: Li Yizhong
21 January 2010
Telecommunications Cybersecurity Protection Management Rules
Article 1: In order to strengthen management over cybersecurity in telecommunications, raise telecommunications cybersecurity protection capabilities, ensure that telecommunications networks are secure and unimpeded, on the basis of the “Telecommunications Regulations of the People’s Republic of China”, these Rules are formulated.
Article 2: These Rules apply to cybersecurity protection work in public telecommunications networks and the Internet (hereafter jointly named “telecommunications networks”) managed and operated by telecommunications business operators and Internet domain name service providers (hereafter jointly named telecommunications network-operating work units) within the territory of the People’s Republic of China.
Internet domain name services as mentioned in these Rules refers to activities of establishing domain name databases or domain name resolution servers, in order to provide domain name registration or authoritative resolution services to domain name holders.
Cybersecurity protection work as mentioned in these Rules, refers to work conducted in order to prevent telecommunications networks from being blocked, suspended, paralysed or illegally controlled, as well as in order to prevent that the data and information transferred, stored or processed on telecommunications networks are lost, leaked or distorted.
Article 3: Telecommunications cybersecurity protection work maintains the principles of active defence, comprehensive prevention and tiered protection.
Article 4: The Ministry of Industry and Information Technology of the People’s Republic of China (hereafter abbreviated as MIIT) is responsible for uniform guidance over nationwide telecommunications cybersecurity work, coordination and inspection, for organizing the establishment and completion of a telecommunications cybersecurity protection system, and for formulating telecommunications sector-related standards.
All provincial, autonomous region and municipal telecommunications management bureaus (hereafter abbreviated telecommunications management bureaus) will, on the basis of the provisions of these Rules, conduct guidance, coordination and inspection of telecommunications cybersecurity protection work within their administrative areas.
The MIIT and telecommunications management bureaus are jointly named “telecommunications management bodies”.
Article 5: Telecommunications network-operating work units shall, according to the regulations of telecommunications management bodies and telecommunications sector standards, conduct telecommunications cybersecurity protection work, and be responsible for cybersecurity within the said work unit.
Article 6: Telecommunications network-operating work units building, rebuilding or expanding telecommunications network projects and plans, shall simultaneously build telecommunications cybersecurity protection equipment, and conduct verification and put it into operation simultaneously with the main project.
Telecommunications cybersecurity protection equipment building, rebuilding or expansion fees shall be entered into the construction project budget of the work unit.
Article 7: Telecommunications network operating work units shall conduct individual planning of the telecommunications network the work unit has officially put into operations, and according to the degree of harm that may result to national security, economic operations, social order and the public interest from the destruction of each telecommunications network unit, respectively classify it as first-level, second-level, third-level, fourth-level and fifth-level from low to high.
Telecommunications management bodies shall organize experts to assess the classification situation of telecommunications network units.
Telecommunications network operating bodies shall, on the basis of the real situation, timely adjust the delineation and classification of telecommunications network units, and conduct assessment according to the provisions of the previous Paragraph.
Article 8: Telecommunications network operating work units shall, within 30 days of a telecommunications network classification assessment passing, file the telecommunications network unit delineation and classification situation with the telecommunications management body according to the following provisions:
(1) Basic telecommunications operator group companies apply with the MIIT for filing of their directly managed telecommunications network units; basic telecommunications operators’ subordinate companies or branch companies in every province (autonomous region, municipality) apply with the local telecommunications management bureau for filing of the telecommunications network unit for whose management they are responsible.
(2) Value-added telecommunications operators file with the telecommunications management body that issued the telecommunications operations permission decision.
(3) Internet domain name service providers file with the MIIT.
Article 9: Telecommunications network operating work units conducting telecommunications network unit filing shall submit the following information:
(1) the name, classification and main function of the telecommunications network unit;
(2) the name and contact method of the responsible work unit for the telecommunications network unit;
(3) the name and contact method of the main responsible person for the telecommunications network unit;
(4) the topological structure, network boundaries, main software and hardware components and model numbers as well as critical equipment of the telecommunications network unit;
(5) other information concerning telecommunications cybersecurity that the telecommunications management body requires to be submitted.
Where a change occurs in the filing information provided in the previous Paragraph, the telecommunications network operating work unit shall, within 30 days of the information change occurring, file the change with the telecommunications management body.
Information reported by telecommunications network operating work units shall be true and complete.
Article 10: Telecommunications management bodies shall inspect the veracity and completeness of filing information, where they discover filing information is untrue or incomplete, they shall notify the filing work unit to rectify the matter.
Article 11: Telecommunications network operating work units shall implement security protection measures suited to the telecommunications network unit tier, and conduct compliance checks according to the following provisions:
(1) third-level and higher telecommunications network units shall undergo compliance checks once annually;
(2) second-level telecommunications network units shall undergo compliance checks once every two years.
Where telecommunications network units’ delineation and classification are adjusted, they shall undergo a compliance check again within 90 days after the adjustment is completed.
Telecommunications network operating work units shall, within 30 days of the check being completed, notify the telecommunications network unit compliance check outcome, improvement situation or improvement plan to the filing body of the telecommunications network unit.
Article 12: Telecommunications network operating work units shall, according to the following provisions, organize security risk assessment of telecommunications network units, and timely eliminate major cybersecurity vulnerabilities:
(1) third-level and higher telecommunications network units shall undergo a security risk assessment once annually;
(2) second-level telecommunications network units shall undergo security risk assessments one every two years.
Before major State events take place, telecommunications network units shall undergo security risk assessments according to the telecommunication management body’s requirements.
Telecommunications network operating work units shall, within 30 days after the security risk assessment being completed, notify the security risk assessment outcome, vulnerability handling situation or handling plan to the filing body of the telecommunications network unit.
Article 13: Telecommunications network operating work units shall create back-ups of the important circuits, equipment, systems and data of telecommunications network units.
Article 14: Telecommunications network operating work units shall organize practices to test the efficacy of telecommunications network security protection measures.
Telecommunications network operating work units shall participate in practices organized and conducted by telecommunications management bodies.
Article 15: Telecommunications network operating work units shall establish and operate telecommunications network security supervision and monitoring systems, and conduct supervision and monitoring of the security state of the work unit’s telecommunications network.
Article 16: Telecommunications network operating work units may entrust specialist bodies with conducting telecommunications cybersecurity monitoring, assessment, supervision and other such work.
MIIT shall, on the basis of the needs of telecommunications network security protection work, strengthen guidance over the security monitoring, assessment and supervision capabilities of entrusted bodies as provided in the previous Paragraph.
Article 17: Telecommunications management bodies shall conduct inspections of telecommunications network operating work units’ conduct of telecommunications cybersecurity protection work.
Telecommunications management bodies may adopt the following inspection measures:
(1) consulting telecommunication network operating work units’ compliance check reports and risk assessment reports;
(2) consulting telecommunications network operating work units’ files and work records concerning cybersecurity protection;
(3) inquiring with telecommunications network operating work units’ personnel to understand the relevant situation;
(4) verifying the relevant facilities of telecommunications network operating work units;
(5) technical analyses and surveys conducted of the telecommunications network;
(6) other inspection measures provided in laws and administrative regulations.
Article 18: Telecommunications management bodies may entrust specialized bodies to conduct cybersecurity inspection activities.
Article 19: Telecommunications network operating work units shall cooperate with telecommunications management bodies and their entrusted specialized bodies conducting inspection activities, and shall timely rectify major cybersecurity vulnerabilities discovered during inspections.
Article 20: Telecommunications management bodies, when conducting inspections of telecommunications cybersecurity protection work, may not influence the regular operations of telecommunications networks, may not collect any fees, may not require the work unit under inspection to purchase specific brands or specific work units’ security software, equipment or other products.
Article 21: Telecommunications management bodies and their entrusted specialized bodies’ work personnel are obliged to maintain the secrecy of State secrets, commercial secrets and personal privacy they learn in the course of their work.
Article 22: Those violating the provisions of Article 6 Paragraph I, Article 77 Paragraph I and Paragraph III, Article 8, Article 9, Article 11, Article 12, Article 13, Article 14, Article 15, Article 19 of these Rules, will be ordered to rectify the situation by the telecommunications management bodies on the basis of their duties and responsibilities; those who refuse to rectify, will be issued a warning, and punished with a fine between 5000 Yuan and 30000 Yuan.
Article 23: Where telecommunications management body work personnel violate the provisions of Article 20 and Article 21 of these Rules, they will be subject to administrative punishment according to the law; where it constitutes a crime, criminal liability will be prosecuted according to the law.
Article 24: These Rules take effect on 1 March 2010.
中华人民共和国工业和信息化部令第 11 号 《通信网络安全防护管理办法》已经2009年12月29日中华人民共和国工业和信息化部第8次部务会议审议通过,现予公布,自2010年3月1日起施行。部 长 李毅中 二〇一〇年一月二十一日
通信网络安全防护管理办法 第一条 为了加强对通信网络安全的管理,提高通信网络安全防护能力,保障通信网络安全畅通,根据《中华人民共和国电信条例》,制定本办法。 第二条 中华人民共和国境内的电信业务经营者和互联网域名服务提供者(以下统称“通信网络运行单位”)管理和运行的公用通信网和互联网(以下统称“通信网络”)的网络安全防护工作,适用本办法。 本办法所称互联网域名服务,是指设置域名数据库或者域名解析服务器,为域名持有者提供域名注册或者权威解析服务的行为。 本办法所称网络安全防护工作,是指为防止通信网络阻塞、中断、瘫痪或者被非法控制,以及为防止通信网络中传输、存储、处理的数据信息丢失、泄露或者被篡改而开展的工作。 第三条 通信网络安全防护工作坚持积极防御、综合防范、分级保护的原则。 第四条 中华人民共和国工业和信息化部(以下简称工业和信息化部)负责全国通信网络安全防护工作的统一指导、协调和检查,组织建立健全通信网络安全防护体系,制定通信行业相关标准。 各省、自治区、直辖市通信管理局(以下简称通信管理局)依据本办法的规定,对本行政区域内的通信网络安全防护工作进行指导、协调和检查。 工业和信息化部与通信管理局统称“电信管理机构”。 第五条 通信网络运行单位应当按照电信管理机构的规定和通信行业标准开展通信网络安全防护工作,对本单位通信网络安全负责。 第六条 通信网络运行单位新建、改建、扩建通信网络工程项目,应当同步建设通信网络安全保障设施,并与主体工程同时进行验收和投入运行。 通信网络安全保障设施的新建、改建、扩建费用,应当纳入本单位建设项目概算。 第七条 通信网络运行单位应当对本单位已正式投入运行的通信网络进行单元划分,并按照各通信网络单元遭到破坏后可能对国家安全、经济运行、社会秩序、公众利益的危害程度,由低到高分别划分为一级、二级、三级、四级、五级。 电信管理机构应当组织专家对通信网络单元的分级情况进行评审。 通信网络运行单位应当根据实际情况适时调整通信网络单元的划分和级别,并按照前款规定进行评审。 第八条 通信网络运行单位应当在通信网络定级评审通过后30日内,将通信网络单元的划分和定级情况按照以下规定向电信管理机构备案: (一)基础电信业务经营者集团公司向工业和信息化部申请办理其直接管理的通信网络单元的备案;基础电信业务经营者各省(自治区、直辖市)子公司、分公司向当地通信管理局申请办理其负责管理的通信网络单元的备案。 (二)增值电信业务经营者向作出电信业务经营许可决定的电信管理机构备案。 (三)互联网域名服务提供者向工业和信息化部备案。 第九条 通信网络运行单位办理通信网络单元备案,应当提交以下信息: (一)通信网络单元的名称、级别和主要功能; (二)通信网络单元责任单位的名称和联系方式; (三)通信网络单元主要负责人的姓名和联系方式; (四)通信网络单元的拓扑架构、网络边界、主要软硬件及型号和关键设施位置; (五)电信管理机构要求提交的涉及通信网络安全的其他信息。 前款规定的备案信息发生变化的,通信网络运行单位应当自信息变化之日起30日内向电信管理机构变更备案。 通信网络运行单位报备的信息应当真实、完整。 第十条 电信管理机构应当对备案信息的真实性、完整性进行核查,发现备案信息不真实、不完整的,通知备案单位予以补正。 第十一条 通信网络运行单位应当落实与通信网络单元级别相适应的安全防护措施,并按照以下规定进行符合性评测: (一)三级及三级以上通信网络单元应当每年进行一次符合性评测; (二)二级通信网络单元应当每两年进行一次符合性评测。 通信网络单元的划分和级别调整的,应当自调整完成之日起90日内重新进行符合性评测。 通信网络运行单位应当在评测结束后30日内,将通信网络单元的符合性评测结果、整改情况或者整改计划报送通信网络单元的备案机构。 第十二条 通信网络运行单位应当按照以下规定组织对通信网络单元进行安全风险评估,及时消除重大网络安全隐患: (一)三级及三级以上通信网络单元应当每年进行一次安全风险评估; (二)二级通信网络单元应当每两年进行一次安全风险评估。 国家重大活动举办前,通信网络单元应当按照电信管理机构的要求进行安全风险评估。 通信网络运行单位应当在安全风险评估结束后30日内,将安全风险评估结果、隐患处理情况或者处理计划报送通信网络单元的备案机构。 第十三条 通信网络运行单位应当对通信网络单元的重要线路、设备、系统和数据等进行备份。 第十四条 通信网络运行单位应当组织演练,检验通信网络安全防护措施的有效性。 通信网络运行单位应当参加电信管理机构组织开展的演练。 第十五条 通信网络运行单位应当建设和运行通信网络安全监测系统,对本单位通信网络的安全状况进行监测。 第十六条 通信网络运行单位可以委托专业机构开展通信网络安全评测、评估、监测等工作。 工业和信息化部应当根据通信网络安全防护工作的需要,加强对前款规定的受托机构的安全评测、评估、监测能力指导。 第十七条 电信管理机构应当对通信网络运行单位开展通信网络安全防护工作的情况进行检查。 电信管理机构可以采取以下检查措施: (一)查阅通信网络运行单位的符合性评测报告和风险评估报告; (二)查阅通信网络运行单位有关网络安全防护的文档和工作记录; (三)向通信网络运行单位工作人员询问了解有关情况; (四)查验通信网络运行单位的有关设施; (五)对通信网络进行技术性分析和测试; (六)法律、行政法规规定的其他检查措施。 第十八条 电信管理机构可以委托专业机构开展通信网络安全检查活动。 第十九条 通信网络运行单位应当配合电信管理机构及其委托的专业机构开展检查活动,对于检查中发现的重大网络安全隐患,应当及时整改。 第二十条 电信管理机构对通信网络安全防护工作进行检查,不得影响通信网络的正常运行,不得收取任何费用,不得要求接受检查的单位购买指定品牌或者指定单位的安全软件、设备或者其他产品。 第二十一条 电信管理机构及其委托的专业机构的工作人员对于检查工作中获悉的国家秘密、商业秘密和个人隐私,有保密的义务。 第二十二条 违反本办法第六条第一款、第七条第一款和第三款、第八条、第九条、第十一条、第十二条、第十三条、第十四条、第十五条、第十九条规定的,由电信管理机构依据职权责令改正;拒不改正的,给予警告,并处5000元以上3万元以下的罚款。 第二十三条 电信管理机构的工作人员违反本办法第二十条、第二十一条规定的,依法给予行政处分;构成犯罪的,依法追究刑事责任。 第二十四条 本办法自2010年3月1日起施行。
