1.2 Establishment of Information Security Classified Protection System

In April 1994, China established its first connection to the Internet. With the development and broad penetration of the Internet in China, the limitations of the Regulations on the Protection of Computer Information System Security and the Classified Criteria for Security Protection of Computer Information System gradually emerged. The government recognized that the State Council’s Order No. 147, even though published in February 1994, have not adequately covered the security needs of network applications. At the same time, cybersecurity has begun to be recognized as an important part of the national strategy.

In 2003, the General Office of the CPC Central Committee and the General Office of the

State Council published the China Informatization Leading Group’s Opinions on Strengthening Information Security Guarantee Work [No. 27 (2003), the General Office of the CPC Central Committee], which proposed to protect the basic information networks and important information systems related to national security, economic lifeline, and social stability. The document proposes establishing an information security classified protection system, and formulating management methods and technical guidelines for the information security classified protection approach. This was the first document that proposed the information security classified protection system, which marked the transition of the classified protection approach from a system for computer information systems security protection to one providing fundamental national information security assurance.

In September 2004, the Ministry of Public Security, National Administration of State Secrets Protection, State Cryptography Administration and the former Informatization Office under the State Council jointly issued the Implementation Opinions on Information Security Classified Protection [No. 66 (2004), the Ministry of Public Security]. This opinion defines the principle of information security classified protection system, the basic content, the division of responsibilities of relevant functional departments, the requirements of implementing information security classified protection and the implementation plan for information security classified protection practices. The document suggests implementation of the information security classified protection system throughout China in three years. This kicked-off the nation-wide promotion and implementation of the information security classified protection system.

Through nearly three years of efforts, the government and industry gradually normalized the processes and procedures, and formalized a series of supporting technical standards for the information security classified protection system. In June 2007, based on these foundations, MPS and three other departments jointly published a ministerial regulation, the Administration Measures for Information Security Classified Protection [No. 43 (2007)]. Regulation No. 43 expands the basic contents, and provides detailed processes and work procedural requirements for the information security classified protection system, including roles, and responsibilities of individual operating organizations, user organizations, and supervision authorities in the information security classified protection practices, which makes it more practicable and easy to operate.

The promulgation and implementation of Administration Measures for Information Security

Classified Protection marks the transformation from the classified protection system of computer information systems to the classified protection system of information security in China, and it serves as a milestone in the development of China’s classified protection system.

Since 2007, in accordance with the implementation situation of the Administration Measures for Information Security Classified Protection, the Ministry of Public Security has revised the supporting standards system. With the support and assistance of the National Standardization Management Committee, and National Information Security Standardization Technical Committee(TC260), MPS formulated a series of national standards for the classified protection system approach, including Classification Guide for Classified Protection of Information System Security(GB/T 22240), Baseline for Classified Protection of Cybersecurity (GB/T 22239), Implementation Guide for Classified Protection of Information System, and Evaluation Requirement for Classified Protection of Cybersecurity (GB/T 28448). The implementation of these information security classified protection system standards further improved China’s overall information security assurance capability, contributing to China’s economic and social development.