Foreword

The Cybersecurity Law of the People’s Republic of China (hereinafter referred to as the Cybersecurity Law), effective from June 1, 2017, is a basic law that provides the fundamental legal framework and protection required for overall cybersecurity work in China. The Cybersecurity Law clearly stipulates that China implements the Cybersecurity Classified Protection System (CCPS), and uses the CCPS as the foundation for building and protecting critical information infrastructure. The CCPS defines the basic system, strategy, and method for China’s cybersecurity practices, which provides the foundation for promoting the development and protection of information technology, as well as maintaining national security, public order and public interests.

The State Council and the CPC Central Committee have also issued a series of documents mandating the implementation of the CCPS for the protection of basic information network and important information systems related to national security, economy and social stability, building and perfecting a system for cybersecurity protection based on the CCPS. Cybersecurity classified protection, in which security protection measures are determined based on the assessment of potential impact of compromise, is a common practice in the developed countries^[1] to protect the critical information infrastructure and data security.

Through years of practices, the Ministry of Public Security of China, in partnerships with National Administration of State Secrets Protection, State Cryptography Administration, Stateowned Assets Supervision and Administration Commission of the State Council, the National Development and Reform Commission, the Ministry of Finance and the Ministry of Education, have jointly formalized a series of policies as the regulatory framework, and established a series of standards required for governing and assuring the cybersecurity classified protection practices in China.

This book provides a brief overview of the Cybersecurity Law, introduces and analyzes the key contents, methodology, procedure, policies and standards required for the implementation of cybersecurity classified protection practices, and describes the implementation procedure srequired for CCPS compliance, which includes level determination, registration, development and improvement, evaluation, supervision and inspection. We further discuss how organizations may develop and improve the CCPS, and provide additional references for relevant enterprises, practitioners and managerial personnel.

注释

[1]For example, United States’ National Institute of Standards and Technology (NIST)’s Federal Information Processing Standards Publication (FIPS PUB) 199 (2004), Standards for Security Categorization of Federal Information and Information Systems uses impact assessment for categorizing the criticality of information systems into LOW, MEDIUM, and HIGH categories, which is then used for selecting security and privacy controls (based on NIST Special Publication 800-53) required for protection of federal information systems and organizations at that level. While terminologies and implementation defer, the principal approach adopted by China’s Cybersecurity Classified Protection System is similar.