Ministry of Industry and Information Technology of the People’s Republic of China
Decree No. 11
The “Telecommunications Cybersecurity Protection Management Rules” were deliberated and passed at the 8th Ministerial Affairs Meeting of the Ministry of Industry and Information Technology of the People’s Republic of China, are hereby promulgated and take effect on 1 March 2010.
Minister: Li Yizhong
21 January 2010
Telecommunications Cybersecurity Protection Management Rules
Article 1: In order to strengthen management over cybersecurity in telecommunications, raise telecommunications cybersecurity protection capabilities, ensure that telecommunications networks are secure and unimpeded, on the basis of the “Telecommunications Regulations of the People’s Republic of China”, these Rules are formulated.
Article 2: These Rules apply to cybersecurity protection work in public telecommunications networks and the Internet (hereafter jointly named “telecommunications networks”) managed and operated by telecommunications business operators and Internet domain name service providers (hereafter jointly named telecommunications network-operating work units) within the territory of the People’s Republic of China.
Internet domain name services as mentioned in these Rules refers to activities of establishing domain name databases or domain name resolution servers, in order to provide domain name registration or authoritative resolution services to domain name holders.
Cybersecurity protection work as mentioned in these Rules, refers to work conducted in order to prevent telecommunications networks from being blocked, suspended, paralysed or illegally controlled, as well as in order to prevent that the data and information transferred, stored or processed on telecommunications networks are lost, leaked or distorted.
Article 3: Telecommunications cybersecurity protection work maintains the principles of active defence, comprehensive prevention and tiered protection.
Article 4: The Ministry of Industry and Information Technology of the People’s Republic of China (hereafter abbreviated as MIIT) is responsible for uniform guidance over nationwide telecommunications cybersecurity work, coordination and inspection, for organizing the establishment and completion of a telecommunications cybersecurity protection system, and for formulating telecommunications sector-related standards.
All provincial, autonomous region and municipal telecommunications management bureaus (hereafter abbreviated telecommunications management bureaus) will, on the basis of the provisions of these Rules, conduct guidance, coordination and inspection of telecommunications cybersecurity protection work within their administrative areas.
The MIIT and telecommunications management bureaus are jointly named “telecommunications management bodies”.
Article 5: Telecommunications network-operating work units shall, according to the regulations of telecommunications management bodies and telecommunications sector standards, conduct telecommunications cybersecurity protection work, and be responsible for cybersecurity within the said work unit.
Article 6: Telecommunications network-operating work units building, rebuilding or expanding telecommunications network projects and plans, shall simultaneously build telecommunications cybersecurity protection equipment, and conduct verification and put it into operation simultaneously with the main project.
Telecommunications cybersecurity protection equipment building, rebuilding or expansion fees shall be entered into the construction project budget of the work unit.
Article 7: Telecommunications network operating work units shall conduct individual planning of the telecommunications network the work unit has officially put into operations, and according to the degree of harm that may result to national security, economic operations, social order and the public interest from the destruction of each telecommunications network unit, respectively classify it as first-level, second-level, third-level, fourth-level and fifth-level from low to high.
Telecommunications management bodies shall organize experts to assess the classification situation of telecommunications network units.
Telecommunications network operating bodies shall, on the basis of the real situation, timely adjust the delineation and classification of telecommunications network units, and conduct assessment according to the provisions of the previous Paragraph.
Article 8: Telecommunications network operating work units shall, within 30 days of a telecommunications network classification assessment passing, file the telecommunications network unit delineation and classification situation with the telecommunications management body according to the following provisions:
(1) Basic telecommunications operator group companies apply with the MIIT for filing of their directly managed telecommunications network units; basic telecommunications operators’ subordinate companies or branch companies in every province (autonomous region, municipality) apply with the local telecommunications management bureau for filing of the telecommunications network unit for whose management they are responsible.
(2) Value-added telecommunications operators file with the telecommunications management body that issued the telecommunications operations permission decision.
(3) Internet domain name service providers file with the MIIT.
Article 9: Telecommunications network operating work units conducting telecommunications network unit filing shall submit the following information:
(1) the name, classification and main function of the telecommunications network unit;
(2) the name and contact method of the responsible work unit for the telecommunications network unit;
(3) the name and contact method of the main responsible person for the telecommunications network unit;
(4) the topological structure, network boundaries, main software and hardware components and model numbers as well as critical equipment of the telecommunications network unit;
(5) other information concerning telecommunications cybersecurity that the telecommunications management body requires to be submitted.
Where a change occurs in the filing information provided in the previous Paragraph, the telecommunications network operating work unit shall, within 30 days of the information change occurring, file the change with the telecommunications management body.
Information reported by telecommunications network operating work units shall be true and complete.
Article 10: Telecommunications management bodies shall inspect the veracity and completeness of filing information, where they discover filing information is untrue or incomplete, they shall notify the filing work unit to rectify the matter.
Article 11: Telecommunications network operating work units shall implement security protection measures suited to the telecommunications network unit tier, and conduct compliance checks according to the following provisions:
(1) third-level and higher telecommunications network units shall undergo compliance checks once annually;
(2) second-level telecommunications network units shall undergo compliance checks once every two years.
Where telecommunications network units’ delineation and classification are adjusted, they shall undergo a compliance check again within 90 days after the adjustment is completed.
Telecommunications network operating work units shall, within 30 days of the check being completed, notify the telecommunications network unit compliance check outcome, improvement situation or improvement plan to the filing body of the telecommunications network unit.
Article 12: Telecommunications network operating work units shall, according to the following provisions, organize security risk assessment of telecommunications network units, and timely eliminate major cybersecurity vulnerabilities:
(1) third-level and higher telecommunications network units shall undergo a security risk assessment once annually;
(2) second-level telecommunications network units shall undergo security risk assessments one every two years.
Before major State events take place, telecommunications network units shall undergo security risk assessments according to the telecommunication management body’s requirements.
Telecommunications network operating work units shall, within 30 days after the security risk assessment being completed, notify the security risk assessment outcome, vulnerability handling situation or handling plan to the filing body of the telecommunications network unit.
Article 13: Telecommunications network operating work units shall create back-ups of the important circuits, equipment, systems and data of telecommunications network units.
Article 14: Telecommunications network operating work units shall organize practices to test the efficacy of telecommunications network security protection measures.
Telecommunications network operating work units shall participate in practices organized and conducted by telecommunications management bodies.
Article 15: Telecommunications network operating work units shall establish and operate telecommunications network security supervision and monitoring systems, and conduct supervision and monitoring of the security state of the work unit’s telecommunications network.
Article 16: Telecommunications network operating work units may entrust specialist bodies with conducting telecommunications cybersecurity monitoring, assessment, supervision and other such work.
MIIT shall, on the basis of the needs of telecommunications network security protection work, strengthen guidance over the security monitoring, assessment and supervision capabilities of entrusted bodies as provided in the previous Paragraph.
Article 17: Telecommunications management bodies shall conduct inspections of telecommunications network operating work units’ conduct of telecommunications cybersecurity protection work.
Telecommunications management bodies may adopt the following inspection measures:
(1) consulting telecommunication network operating work units’ compliance check reports and risk assessment reports;
(2) consulting telecommunications network operating work units’ files and work records concerning cybersecurity protection;
(3) inquiring with telecommunications network operating work units’ personnel to understand the relevant situation;
(4) verifying the relevant facilities of telecommunications network operating work units;
(5) technical analyses and surveys conducted of the telecommunications network;
(6) other inspection measures provided in laws and administrative regulations.
Article 18: Telecommunications management bodies may entrust specialized bodies to conduct cybersecurity inspection activities.
Article 19: Telecommunications network operating work units shall cooperate with telecommunications management bodies and their entrusted specialized bodies conducting inspection activities, and shall timely rectify major cybersecurity vulnerabilities discovered during inspections.
Article 20: Telecommunications management bodies, when conducting inspections of telecommunications cybersecurity protection work, may not influence the regular operations of telecommunications networks, may not collect any fees, may not require the work unit under inspection to purchase specific brands or specific work units’ security software, equipment or other products.
Article 21: Telecommunications management bodies and their entrusted specialized bodies’ work personnel are obliged to maintain the secrecy of State secrets, commercial secrets and personal privacy they learn in the course of their work.
Article 22: Those violating the provisions of Article 6 Paragraph I, Article 77 Paragraph I and Paragraph III, Article 8, Article 9, Article 11, Article 12, Article 13, Article 14, Article 15, Article 19 of these Rules, will be ordered to rectify the situation by the telecommunications management bodies on the basis of their duties and responsibilities; those who refuse to rectify, will be issued a warning, and punished with a fine between 5000 Yuan and 30000 Yuan.
Article 23: Where telecommunications management body work personnel violate the provisions of Article 20 and Article 21 of these Rules, they will be subject to administrative punishment according to the law; where it constitutes a crime, criminal liability will be prosecuted according to the law.
Article 24: These Rules take effect on 1 March 2010.
第 11 号
部 长 李毅中