Open a new stage in the security protection of critical information infrastructure

(2) Clarify the division of oversight responsibilities. In order to ensure the smooth development of the security protection of critical information infrastructure, the Regulations set up a scientific and rigorous supervision and management mechanism. At the national level, the national network information department is responsible for overall coordination, the public security department of The State Council is responsible for guidance and supervision, and the telecommunications department of The State Council and other relevant departments are responsible for the security protection, supervision and management of key information infrastructure of the industry; At the local level, the relevant departments of the provincial people's governments are responsible for the security protection, supervision and management of critical information infrastructure. It not only effectively ensures the unified, orderly and coordinated promotion of the security protection of critical information infrastructure, but also gives full play to the professional advantages of specific industry sectors to improve the security protection of critical information infrastructure.

3. Strengthening primary responsibility for security. The Regulations emphasize that critical information infrastructure operators (hereinafter referred to as operators) assume the main responsibility for the security protection of critical information infrastructure, and set strict requirements for the operators' own security management mechanism. The first is to emphasize the responsibility of the main person in charge, and make it clear that the main person in charge of the operator is responsible for the security protection of critical information infrastructure. The second is to require the establishment of a special security management organization, which is specifically responsible for the security protection of the critical information infrastructure of the unit. The third is the implementation of security background checks for personnel in key positions, including the person in charge of the operator's special safety management agency and the personnel identified as key positions. The fourth is to ensure the operation of the special safety management agency, and provide funds and professional personnel protection for the special safety management agency of the unit.

(4) Detailed security protection requirements. The Regulations strengthen the security protection of critical information infrastructure and put forward higher security protection requirements for operators on the basis of the Network Security Law. The first is to implement the "three synchronization" requirements, requiring security protection measures and critical information infrastructure synchronous planning, synchronous construction, synchronous use, critical information infrastructure from the date of inclusion in the list of key information infrastructure, in the design and construction (expansion), operation and maintenance, emergency recovery, decommissioning and waste stages, should ensure the implementation of security protection covering the whole life cycle. The second is to carry out regular security testing and risk assessment, and the operator must carry out network security testing and risk assessment at least once a year, which can be carried out by itself or commissioned by network security service agencies. The third is to fulfill the obligation of reporting security incidents and threats, in the event of a major cybersecurity incident or the discovery of a major cybersecurity threat, the operator shall report to the relevant departments. The fourth is to implement the requirements of network security review, operator procurement of network products and services may affect national security, should be in accordance with the national network security provisions for security review. Fifth, to strengthen monitoring and early warning and information sharing, the Regulations propose to establish and improve the network security monitoring and early warning system for critical information infrastructure, accurately grasp the operation of critical information infrastructure, and promote network security information sharing.

5. Strengthening key security guarantees. First, the implementation of vulnerability detection, penetration testing and other activities for critical information infrastructure should be approved by the national network information department, the public security department of The State Council, or authorized by the protection department and the operator. Activities such as vulnerability detection and penetration testing of basic telecommunications networks shall be reported to the competent department of telecommunications under The State Council in advance. Second, the energy and telecommunications industries provide important support and resource guarantee for the stable operation of key information infrastructure in finance, water conservancy, transportation and other industries, and the basic telecommunications network is also basic and global, carrying other key information infrastructure. The state will take measures to give priority to the safe operation of key information infrastructure such as energy and telecommunications. The energy and telecommunications industries will provide key guarantees for the safe operation of critical information infrastructure in other industries and fields.