Implementation Opinions concerning the Information Security Multi-Level Protection System

Posted on September 15, 2004 Updated on October 6, 2020

Notice concerning Issuance of the “Implementation Opinions concerning the Information Security Multi-Level Protection System”

(GTZ No. [2004]66)

All provincial, autonomous region and municipal public security offices (bureaus), secrecy protection bureaus, the Office of the National Encryption Management Committee, the Office of the Leading Group for Informatization, the Xinjiang Production-Construction Corps Public Security Bureau, Secrecy Protection Bureau, Office of the National Encryption Management Committee and the Office of the Leading Group for Informatization, the offices of secrecy protection committees in all Centre and State bodies’ ministries and commissions, all people’s organizations’ secrecy protection committee offices:

The “Implementation Opinions concerning Information Security Multi-Level Protection Work” were passed at the 3rd Meeting of the National Coordination Group for Network and Information Security, and are hereby issued to you, please implement them earnestly. 

Ministry of Public Security of the People’s Republic of China

National Secrecy Protection Bureau

Office of the National Encryption Management Committee

State Council Informatization Work Office

Implementation Opinions concerning the Information Security Multi-Level Protection System

The information security multi-level protection system is a basic system for, in the development process of informatization in the national economy and society, raising information security protection capabilities and levels, safeguarding national security, social stability and the public interest, safeguarding and stimulating the healthy development of informatization construction. Implementing the information security multi-level protection system will enable the full mustering of vigour of the State, legal persons and other organizations, as well as citizens, let every side play a role, achieve the goal of effective protection, strengthen the integrity, focus and efficacy of security protection, enable information system security construction to become ever more focused on prominent points, unified and standardized, scientific and rational, this will play an important driving role in the development of our country’s information security.

In order to further raise information security protection capabilities and defence levels, safeguard national security, the public interest and social stability, ensure and stimulate the healthy development of informatization construction, the “Computer and Information System Security Protection Regulations of the People’s Republic of China”, promulgated by the State Council in 1994, provide that “tiered protection is implemented for computer and information system, security grading plans and standards, as well as concrete rules for tiered security protection will be formulated by the Ministry of Public Security together with relevant departments.” In 2003, the Centre Office and State Council Office transmitted the “Leading Group for National Informatization Opinions concerning Strengthening Information Security Protection  Work” (ZBF No. [2003]27), which clearly puts forward that “A focal point is protecting basic information networks and important information system related to national security, economic lifelines, social stability and other such aspects, grasp the establishment of an information security multi-level protection system, formulate management rules and technical guidelines for the information security multi-level protection system.”

I, The importance of conducting information security multi-level protection work

In recent years, as the Party Centre and State Council have given it high regard, and all stakeholders have coordinated, cooperated, and made joint efforts our country’s information security protection work has seen great progress. But looking from the general picture, our country’s information security protection work is still in the early stages, its basis is weak, its levels are low, and the following prominent problems exist: information security awareness and security protection capabilities are weak, information security lags behind informatization development; information systems security construction and management objectives are not clear; information security protection work focus points are not prominent; information security supervision and management lacks a basis and standards, supervision and management measures remain meeting goals, supervision and management systems remain to be perfected. Following the rapid development of information technologies and the speedy popularization of network applications, our country’s national economic and social informatization progress is comprehensively accelerating, the basic and whole-picture roles of information systems are strengthening day by day, information resources have become an important strategic resource for national economic construction and social development. Protecting information security, safeguarding national security, the public interest and social stability, are major issues that urgently need to be resolved in the present development of informatization. 

Implementing information security multi-level protection will enable an effective increase in the overall levels of our country’s information and information system security construction, it will benefit the construction of information security facilities simultaneously with the process of information construction, and the coordination of information security protection with informatization construction; it will benefit the provision of systematic, focused and feasible guidance over and service to information system security construction and management, and the effective control of information security construction costs; it will benefit the optimization of information security resource allocation, implementing tiered protection of information system means the focus lies on ensuring the security of basic information networks and important information systems related to national security, economic lifelines, social stability and other such areas; it will benefit the clarification of information security responsibilities of the state, legal persons and other organizations, as well as citizens, strengthening information security management; it will benefit the promotion of the development of the information security industry, progressively exploring a line of information security models suited to the development of the Socialist market economy.

II, The principles of the information security multi-level protection system

The core of information security multi-level protection is division of information security levels, and conducting construction, management and supervision according to standards. The information security multi-level protection system respects the following basic principles:

(1) Clarifying responsibilities, joint protection. Through tiered protection, organize and mobilize the state, legal persons, other organizations and citizens to jointly participate in information security protection work; subjects on all sides will bear corresponding, clear and concrete information security protection responsibilities according to norms and standards.

(2) Relying on standards, protecting oneself. The State uses mandatory norms and standards to require information and information systems to grade themselves and protect themselves according to corresponding construction and management requirements.

(3) Simultaneous construction, dynamic adjustment. Information systems shall, when being newly built, improved or expanded, simultaneously construct information security facilities, ensuring that information security and informatization construction are matched. Where, due to changing conditions such as the application category or scope of information and information systems, and other such reasons, security protection grading needs to be changed, the security protection grade of an information system shall be determined again on the basis of the requirements of tiered protection management standards and technology standards. Tiered protection management standards and technology standards shall be revised timely according to the actual circumstances in the development of tiered protection work.

(4) Guidance and supervision, protection of focus points. The State appoints information security supervision and management functional departments to conduct guidance and supervision of information security protection work of important information and information systems through means such as filing, guidance, inspection, supervision, rectification, etc. The State focuses on protecting basic information networks and important information systems affecting national security, economic lifelines and social stability, mainly including: State affairs processing information networks (Party and government entities’ business systems); information systems related to the national economy and the people’s livelihoods such as the financial administration, the financial sector, taxation, Customs, auditing, industry and commerce, social security, energy, traffic and transportation, national defence industry, etc.; information systems in educational, national science and technology and other such work units; information systems in basic information networks such as public telecommunications, radio and television transmission, etc.; and important information systems in network management centres and important websites as well as important information systems in other areas.

III, The basic content of the information security multi-level protection system

Information security multi-level protection  implements security protection over State secret information, the proprietary information of legal persons, other organizations and citizens, as well as public information, and information systems storing, transmitting and processing this information in a tiered manner, it implements tier-based management over information security products used in information systems, and responds to and processes information security incidents occurring in information system in a tiered manner.

Information systems refers to systems or networks composed of computers and related supplementary equipment and facilities, which conduct information storage, transmission and processing according to specific application goals or norms; information refers to digitized information stored, transmitted or processed on information systems. 

On the basis of the degree of importance of information and information systems in national security, economic construction and social life; the degree of harm to national security, social order, the public interest as well as the lawful rights and interests of citizens, legal persons and other organizations in case of destruction; with regard to the secrecy, integrity and usability requirements of information and the basic security protection levels that information systems must achieve, and other such factors, information and information systems’ security protection grades are divided into five tiers in total:

1: The first tier is the self-protection tier, which applies to common information and information systems, whose destruction may bring a certain influence on the rights and interest of citizens, legal persons or other organizations, but no harm to national security, social order, economic construction or the public interest.

2. The second tier is the guided protection tier, which applies to common information and information systems that affect national security, social order, economic construction and the public interest to a certain degree, and whose destruction may result in certain harm to national security, social order, economic construction and the public interest.

3. The third tier is the supervised protection tier, which applies to information and information systems involving national security, social order, economic construction and the public interest, whose destruction may result in relatively large harm to national security, social order, economic construction and the public interest. 

4. The fourth tier is the mandatory protection tier, which applies to important information and information systems involving national security, social order, economic construction and the public interest, whose destruction may result in grave harm to national security, social order, economic construction and the public interest. 

5. The fifth tier is the specially controlled protection tier, which applies to the core systems of  important information and information systems involving national security, social order, economic construction and the public interest, whose destruction may result in especially grave harm to national security, social order, economic construction and the public interest. 

The State, through formulating uniform management norms and technical standards, organizes administrative bodies, citizens, legal persons and other organizations to conduct focused protection work on the basis of the differing degrees of importance of information and information systems. The State exercises supervision and management policies of different degrees of strength for information and information systems in different security protection tiers. The first tier will implement self-protection according to State management norms and technical standards; the second tier will conduct self-protection under the guidance of information security supervision and management functional departments, according to State management norms and technical standards; the third tier will conduct self-protection according to state management norms and technical standards, and information security supervision and management functional departments will conduct supervision and inspection of them; the fourth tier will conduct self-protection according to State management norms and technical standards, and information security supervision and management functional departments will conduct mandatory supervision and management over them; the fifth tier will conduct self-protection according to State management norms and technical standards, and State-appointed specialized departments and specialized bodies will conduct specialized supervision. 

The state will conduct tiered management of the use of information security products.

For information security incidents, a tiered response and processing system will be implemented. On the basis of the destructive degree of information security incidents concerning information and information systems, the resulting social influence as well as the scope of involvement, the incident’s tier will be determined. Corresponding advance plans will be formulated on the basis of the different tiers of incidents occurring on information systems of different security protection tiers, clarifying the scope and degree of incident response and processing, as well as the applicable management system. After an information security incident occurs, response and processing will occur according to advance plans and tier classification.

IV, Information security multi-level protection work and responsibility divisions

Public security bodies are responsible for information security multi-level protection work supervision, inspection and guidance. State secrecy protection work departments are responsible for supervision, inspection and guidance of secrecy protection-related work in multi-level protection work. State encryption management departments are responsible for supervision, inspection and guidance of encryption-related work in multi-level protection work. 

In information security multi-level protection work, matters involving the scope of jurisdiction of other functional departments, will be managed by the relevant functional departments according to State laws and regulations. 

The competent department for information and information systems as well as operating and using work units conduct information security construction and management according to multi-level protection management norms and technology standards.

The State Council Informatization Work Office is responsible for interdepartmental coordination in information security multi-level protection work.

V, Requirements for implementing information security multi-level protection work

Information security multi-level protection work must give prominence to focus points, divide tiers of responsibility, guide according to categories, and implement in different steps, according to the requirements that who is in charge is responsible, and who operates is responsible, clarify the security responsibilities of competent departments as well as work units and individuals constructing, operating, maintaining and using information systems, who respectively will implement multi-level protection measures. For implementation of information security multi-level protection, work in the following six areas shall be done well:

(1) Perfecting standards, categorized guidance. Formulate systemic and integrated information security multi-level protection management norms and technical standards, and incessantly supplement and perfect them on the basis of actual circumstances in the conduct of work. Information security supervision and management functional departments will issue corresponding guidance on information security multi-level protection work to information and information systems of different degrees of importance, and ensure the smooth conduct of information security multi-level protection work.

(2) Scientific classification, strict filing. The work units operating and using information and information systems will, according to multi-level protection management norms and technical standards, determine the security protection tier of their information and information systems, and report to their competent department for examination and approval.

Concerning information systems containing many sub-systems, under the preconditions of ensuring the secure interoperability of information systems and effective information sharing, a security protection tier shall be respectively determined on the basis of the multi-level protection management regulations, technology standards and the degree of importance of the various sub-systems in an information system. For large interregional systems, a method is implemented that integrates vertical protection and localized protection.

The State Council Informatization Work Office organizes domestic information security experts to establish an information security multi-level expert review committee. The work units operating or using important information and information systems and their competent departments shall, when determining the security protection tier of information and information systems, request the information security protection multi-level expert review committee to provide consulting and comments.

For information systems with a security protection tier of three or higher, the operating or using work unit will report to the local district / city-level public security bureau for filing. Interregional information systems will be subject to general filing by their competent authority with the local public security bureau of the same level, sub-systems are reported respectively by the local operating or using work unit with the local district / city-level public security body.

Rules for the classification management of information security products as well as the management of tiered information security incident response and processing will be promulgated by the Ministry of Public Security together with the Secrecy Protection Bureau, the State Cryptography Office, the Ministry of Information Industry, the Certification and Accreditation Administration and other such departments.

(3) Construction and renovation, implementation measures. With regard to existing information systems, their operating and using work units will, on the basis of already determined information security protection levels, and according to the management norms and technical standards for multi-level protection, purchase and use correspondingly tiered information security products, build security infrastructure, implement technical security measures, and complete system improvements. For newly built, rebuilt and extended information systems, information system planning, design and construction shall be conducted according to multi-level protection management norms and technical standards.

(4) Self-inspection and self-rectification, implementing requirements. Work units operating and using information and information systems and their competent authorities will conduct inspection and assessment of information systems who have completed security multi-level protection construction according to multi-level protection management norms and technical standards, timely correct problems they discover, strengthen and perfect the construction of their own information security multi-level protections, and strengthen self-protection.

(5) Constructing structures, strengthening management. Work units operating and using information and information systems will regularly conduct monitoring and assessment of their security state according to the requirements of management norms corresponding to the security protection tier of that system and technical standards, timely eliminate security vulnerabilities and leaks, establish security systems, formulate security incident response ad management preparation plans for different tiers of information, and strengthen the security management of information systems. Competent departments of information and information systems shall, according to the requirements of multi-level protection management norms and technical standards, conduct supervision and management work, and when they discover problems, timely urge their correction.

(6) Supervision and inspection, perfecting protection. Public security departments will focus on conducting supervision and inspection of the tiered security protection of third and fourth-tier information and information systems according to multi-level protection management norms and technical standards. Where they discover that the determined security protection tier does not conform to multi-level protection management norms and technical standards, they shall notify the competent department of the information and information system and the operating and using work unit, to conduct rectification; where they discover the existence of security risks or non-achievement of the requirements of multi-level protection management norms or technical standards, they must correct them within a limited time, and ensure the perfection of security protection measures of information and information systems. Supervision and inspection shall be conducted of information security products used in information systems.

Supervision and inspection of fifth-tier information and information systems will be conducted by State-designated special departments and special bodies according to relevant regulations.

The national secrecy protection work department, encryption management department as well as other functional departments will guide, supervise and inspect according to their duties and the division of work.

VI, Information security multi-level protection work implementation planning

It is planned the implement to use around three years of time to implement the information security multi-level protection system at a nationwide scale in three stages.

(1) Preparatory stage. In order to ensure the smooth implementation of the information security multi-level protection system, before comprehensively implementing the multi-level protections, around one year of time is used to complete the following preparatory work:

1. Strengthening leadership, implementing responsibilities. Under the leadership of the National Network and Information Security Coordination Group, all levels’ local People’s Governments, information security supervision and management functional departments, competent departments of information systems and operating and using work units must determined their own security responsibilities, establish coordination and cooperation mechanisms, respectively formulate detailed implementation plans, vigorously advance the establishment of the information security multi-level protection system, and promote the establishment and perfection of operational mechanisms for information security management.

2. Accelerating the perfection of laws, regulation and standards systems. Legal norms and technical standards are the legal basis and technical safeguards for the broadening and implementation of information security multi-level protection work. To this end, the formulation must be sped up of regulations and norms such as the “Information Security Multi-Level Protection Management Rules”, the “Information Security Multi-Level Protection Implementation Guidelines”, the “Information Security Multi-Level Protection Assessment Guidelines”, etc., so they are published as quickly as possible.

3. Establishing information security multi-level protection supervision and management teams and technical support systems. Information security supervision and management functional departments must establish dedicated information security multi-level protection supervision and inspection bodies, give them full strength, strengthen construction, grasp training, ensure that supervision and inspection personnel is able to comprehensively grasp legal norms, management norms and technical standards related to information security multi-level protection, is proficient in using technical tools, and realistically undertake information security multi-level protection guidance, supervision and inspection duties and responsibilities. At the same time, it is also necessary to establish technical support systems for information security multi-level protection supervision and inspection work, organize the research, manufacture and exploitation of scientific and applied inspection and assessment tools.

4. Further conducting multi-level protection trial work. Select focus work units in e-government, e-commerce as well as other areas to launch multi-level protection trial work, and further perfect multi-level protection implementation guidelines and related supplementary norms, standards and tools on the basis of trial work, accumulate information security multi-level protection work implementation methods and experiences.

5. Strengthening propaganda and training work. All levels’ local People’s Governments, information security supervision and management functional departments and information system competent departments must vigorously propagate information security multi-level protection-related regulations, standards and policies, organize and launch related training, raise the understanding of and importance given to information security multi-level protection work, vigorously promote relevant departments and work units’ early performance of information security multi-level protection work preparations

(2) Focus implementation phase. On the basis of completing early preparation work, use around one year of time to implement the multi-level protections basic information networks and important information systems with national focus protection, involving national security, economic lifelines and social stability. Through one year of construction, enable basic information networks and important information systems’ core vital parts to gain effective protection, the protection status of basic information networks and information systems involving national security, economic lifelines and social stability to gain a relatively great improvement, concluding the present situation where there basically are no protection measures or protection measures are insufficient.

(3). Comprehensive implementation phase. On the basis of trial work, use around one year of time to roll out the information security multi-level protection system nationwide. Information and information system operating and using work units already implementing the multi-level protections and their competent departments must further perfect information security protection measures. Where the multi-level protection is not implemented, implementation must be organized earnestly according to multi-level protection management norms and technical standards.

Through three years of efforts, progressively implement the information security multi-level protection system in all segments of information security planning, construction, assessment, operations and maintenance, and enable our country’s information security protection state to gain a fundamental improvement.

关于信息安全等级保护工作的实施意见
信息安全等级保护制度是国家在国民经济和社会信息化的发 展过程中，提高信息安全保障能力和水平，维护国家安全、社会稳 定和公共利益，保障和促进信息化建设健康发展的一项基本制度。 实行信息安全等级保护制度，能够充分调动国家、法人和其他组织 及公民的积极性，发挥各方面的作用，达到有效保护的目的，增强 安全保护的整体性、针对性和实效性，使信息系统安全建设更加突 出重点、统一规范、科学合理，对促进我国信息安全的发展将起到 重要推动作用。
为了进一步提高信息安全的保障能力和防护水平，维护国家安 全、公共利益和社会稳定，保障和促进信息化建设的健康发展，1994 年国务院颁布的《中华人民共和国计算机信息系统安全保护条例》 规定，“计算机信息系统实行安全等级保护，安全等级的划分标准和 安全等级保护的具体办法，由公安部会同有关部门制定”。2003 年 中央办公厅、国务院办公厅转发的《国家信息化领导小组关于加强 信息安全保障工作的意见》(中办发[2003]27 号)明确指出，“要重 点保护基础信息网络和关系国家安全、经济命脉、社会稳定等方面 的重要信息系统，抓紧建立信息安全等级保护制度，制定信息安全 等级保护的管理办法和技术指南”。
一、开展信息安全等级保护工作的重要意义
近年来，党中央、国务院高度重视，各有关方面协调配合、共 同努力，我国信息安全保障工作取得了很大进展。但是从总体上看，我国的信息安全保障工作尚处于起步阶段，基础薄弱，水平不高， 存在以下突出问题:信息安全意识和安全防范能力薄弱，信息安全 滞后于信息化发展;信息系统安全建设和管理的目标不明确;信息 安全保障工作的重点不突出;信息安全监督管理缺乏依据和标准， 监管措施有待到位，监管体系尚待完善。随着信息技术的高速发展 和网络应用的迅速普及，我国国民经济和社会信息化进程全面加 快，信息系统的基础性、全局性作用日益增强，信息资源已经成为 国家经济建设和社会发展的重要战略资源之一。保障信息安全，维 护国家安全、公共利益和社会稳定，是当前信息化发展中迫切需要 解决的重大问题。
实施信息安全等级保护，能够有效地提高我国信息和信息系统 安全建设的整体水平，有利于在信息化建设过程中同步建设信息安 全设施，保障信息安全与信息化建设相协调;有利于为信息系统安 全建设和管理提供系统性、针对性、可行性的指导和服务，有效控 制信息安全建设成本;有利于优化信息安全资源的配置，对信息系 统分级实施保护，重点保障基础信息网络和关系国家安全、经济命 脉、社会稳定等方面的重要信息系统的安全;有利于明确国家、法 人和其他组织、公民的信息安全责任，加强信息安全管理;有利于 推动信息安全产业的发展，逐步探索出一条适应社会主义市场经济 发展的信息安全模式。
二、信息安全等级保护制度的原则
信息安全等级保护的核心是对信息安全分等级、按标准进行建 设、管理和监督。信息安全等级保护制度遵循以下基本原则:
(一)明确责任，共同保护。通过等级保护，组织和动员国家、法人和其他组织、公民共同参与信息安全保护工作;各方 主体按照规范和标准分别承担相应的、明确具体的信息安全保护责 任。
(二)依照标准，自行保护。国家运用强制性的规范及 标准，要求信息和信息系统按照相应的建设和管理要求，自行定级、 自行保护。
(三)同步建设，动态调整。信息系统在新建、改建、 扩建时应当同步建设信息安全设施，保障信息安全与信息化建设相 适应。因信息和信息系统的应用类型、范围等条件的变化及其他原 因，安全保护等级需要变更的，应当根据等级保护的管理规范和技 术标准的要求，重新确定信息系统的安全保护等级。等级保护的管 理规范和技术标准应按照等级保护工作开展的实际情况适时修订。
(四)指导监督，重点保护。国家指定信息安全监管职 能部门通过备案、指导、检查、督促整改等方式，对重要信息和信 息系统的信息安全保护工作进行指导监督。国家重点保护涉及国家 安全、经济命脉、社会稳定的基础信息网络和重要信息系统，主要 包括:国家事务处理信息系统(党政机关办公系统);财政、金融、 税务、海关、审计、工商、社会保障、能源、交通运输、国防工业 等关系到国计民生的信息系统;教育、国家科研等单位的信息系统; 公用通信、广播电视传输等基础信息网络中的信息系统;网络管理 中心、重要网站中的重要信息系统和其他领域的重要信息系统。
三、信息安全等级保护制度的基本内容
信息安全等级保护是指对国家秘密信息、法人和其他组织及公民的专有信息以及公开信息和存储、传输、处理这些信息的信息系 统分等级实行安全保护，对信息系统中使用的信息安全产品实行按 等级管理，对信息系统中发生的信息安全事件分等级响应、处置。
信息系统是指由计算机及其相关和配套的设备、设施构成的， 按照一定的应用目标和规则对信息进行存储、传输、处理的系统或 者网络;信息是指在信息系统中存储、传输、处理的数字化信息。
根据信息和信息系统在国家安全、经济建设、社会生活中的重 要程度;遭到破坏后对国家安全、社会秩序、公共利益以及公民、 法人和其他组织的合法权益的危害程度;针对信息的保密性、完整 性和可用性要求及信息系统必须要达到的基本的安全保护水平等 因素，信息和信息系统的安全保护等级共分五级:

1. 第一级为自主保护级，适用于一般的信息和信息系统，其 受到破坏后，会对公民、法人和其他组织的权益有一定影响，但不 危害国家安全、社会秩序、经济建设和公共利益。
2. 第二级为指导保护级，适用于一定程度上涉及国家安全、 社会秩序、经济建设和公共利益的一般信息和信息系统，其受到破 坏后，会对国家安全、社会秩序、经济建设和公共利益造成一定损 害。
3. 第三级为监督保护级，适用于涉及国家安全、社会秩序、 经济建设和公共利益的信息和信息系统，其受到破坏后，会对国家 安全、社会秩序、经济建设和公共利益造成较大损害。
4. 第四级为强制保护级，适用于涉及国家安全、社会秩序、 经济建设和公共利益的重要信息和信息系统，其受到破坏后，会对 国家安全、社会秩序、经济建设和公共利益造成严重损害。
5. 第五级为专控保护级，适用于涉及国家安全、社会秩序、 经济建设和公共利益的重要信息和信息系统的核心子系统，其受到 破坏后，会对国家安全、社会秩序、经济建设和公共利益造成特别 严重损害。
   国家通过制定统一的管理规范和技术标准，组织行政机关、公 民、法人和其他组织根据信息和信息系统的不同重要程度开展有针 对性的保护工作。国家对不同安全保护级别的信息和信息系统实行 不同强度的监管政策。第一级依照国家管理规范和技术标准进行自 主保护;第二级在信息安全监管职能部门指导下依照国家管理规范 和技术标准进行自主保护;第三级依照国家管理规范和技术标准进 行自主保护，信息安全监管职能部门对其进行监督、检查;第四级 依照国家管理规范和技术标准进行自主保护，信息安全监管职能部 门对其进行强制监督、检查;第五级依照国家管理规范和技术标准 进行自主保护，国家指定专门部门、专门机构进行专门监督。
   国家对信息安全产品的使用实行分等级管理。
   信息安全事件实行分等级响应、处置的制度。依据信息安全事 件对信息和信息系统的破坏程度、所造成的社会影响以及涉及的范 围，确定事件等级。根据不同安全保护等级的信息系统中发生的不 同等级事件制定相应的预案，确定事件响应和处置的范围、程度以 及适用的管理制度等。信息安全事件发生后，分等级按照预案响应 和处置。
   四、信息安全等级保护工作职责分工
   公安机关负责信息安全等级保护工作的监督、检查、指导。国 家保密工作部门负责等级保护工作中有关保密工作的监督、检查、指导。国家密码管理部门负责等级保护工作中有关密码工作的监 督、检查、指导。
   在信息安全等级保护工作中，涉及其他职能部门管辖范围的事 项，由有关职能部门依照国家法律法规的规定进行管理。
   信息和信息系统的主管部门及运营、使用单位按照等级保护的 管理规范和技术标准进行信息安全建设和管理。
   国务院信息化工作办公室负责信息安全等级保护工作中部门 间的协调。
   五、实施信息安全等级保护工作的要求
   信息安全等级保护工作要突出重点、分级负责、分类指导、分 步实施，按照谁主管谁负责、谁运营谁负责的要求，明确主管部门 以及信息系统建设、运行、维护、使用单位和个人的安全责任，分 别落实等级保护措施。实施信息安全等级保护应当做好以下六个方 面工作:
   (一)完善标准，分类指导。制定系统完整的信息安全 等级保护管理规范和技术标准，并根据工作开展的实际情况不断补 充完善。信息安全监管职能部门对不同重要程度的信息和信息系统 的安全等级保护工作给予相应的指导，确保等级保护工作顺利开 展。
   (二)科学定级，严格备案。信息和信息系统的运营、 使用单位按照等级保护的管理规范和技术标准，确定其信息和信息 系统的安全保护等级，并报其主管部门审批同意。
   对于包含多个子系统的信息系统，在保障信息系统安全互联和 有效信息共享的前提下，应当根据等级保护的管理规定、技术标准和信息系统内各子系统的重要程度，分别确定安全保护等级。跨地 域的大系统实行纵向保护和属地保护相结合的方式。
   国务院信息化工作办公室组织国内有关信息安全专家成立信 息安全保护等级专家评审委员会。重要的信息和信息系统的运营、 使用单位及其主管部门在确定信息和信息系统的安全保护等级时， 应请信息安全保护等级专家评审委员会给予咨询评审。
   安全保护等级在三级以上的信息系统，由运营、使用单位报送 本地区地市级公安机关备案。跨地域的信息系统由其主管部门向其 所在地的同级公安机关进行总备案，分系统分别由当地运营、使用 单位向本地地市级公安机关备案。
   信息安全产品使用的分等级管理以及信息安全事件分等级响 应、处置的管理办法由公安部会同保密局、国密办、信息产业部和 认监委等部门制定。
   (三)建设整改，落实措施。对已有的信息系统，其运 营、使用单位根据已经确定的信息安全保护等级，按照等级保护的 管理规范和技术标准，采购和使用相应等级的信息安全产品，建设 安全设施，落实安全技术措施，完成系统整改。对新建、改建、扩 建的信息系统应当按照等级保护的管理规范和技术标准进行信息 系统的规划设计、建设施工。
   (四)自查自纠，落实要求。信息和信息系统的运营、 使用单位及其主管部门按照等级保护的管理规范和技术标准，对已 经完成安全等级保护建设的信息系统进行检查评估，发现问题及时 整改，加强和完善自身信息安全等级保护制度的建设，加强自我保 护。(五)建立制度，加强管理。信息和信息系统的运营、 使用单位按照与本系统安全保护等级相对应的管理规范和技术标
   准的要求，定期进行安全状况检测评估，及时消除安全隐患和漏洞， 建立安全制度，制定不同等级信息安全事件的响应、处置预案，加 强信息系统的安全管理。信息和信息系统的主管部门应当按照等级 保护的管理规范和技术标准的要求做好监督管理工作，发现问题， 及时督促整改。
   (六)监督检查，完善保护。公安机关按照等级保护的 管理规范和技术标准的要求，重点对第三、第四级信息和信息系统 的安全等级保护状况进行监督检查。发现确定的安全保护等级不符 合等级保护的管理规范和技术标准的，要通知信息和信息系统的主 管部门及运营、使用单位进行整改;发现存在安全隐患或未达到等 级保护的管理规范和技术标准要求的，要限期整改，使信息和信息 系统的安全保护措施更加完善。对信息系统中使用的信息安全产品 的等级进行监督检查。
   对第五级信息和信息系统的监督检查，由国家指定的专门部 门、专门机构按照有关规定进行。
   国家保密工作部门、密码管理部门以及其他职能部门按照职责 分工指导、监督、检查。
   六、信息安全等级保护工作实施计划
   计划用三年左右的时间在全国范围内分三个阶段实施信息安 全等级保护制度。
   (一)准备阶段。为了保障信息安全等级保护制度的顺利实施，在全面实施等级保护制度之前，用一年左右的时间做好下列 准备工作:
   1.加强领导，落实责任。在国家网络与信息安全协调小组的领 导下，地方各级人民政府、信息安全监管职能部门、信息系统的主 管部门和运营、使用单位要明确各自的安全责任，建立协调配合机 制，分别制定详细的实施方案，积极推进信息安全等级保护制度的 建立，推动信息安全管理运行机制的建立和完善。
   2.加快完善法律法规和标准体系。法律规范和技术标准是推广 和实施信息安全等级保护工作的法律依据和技术保障。为此，《信 息安全等级保护管理办法》和《信息安全等级保护实施指南》、《信 息安全等级保护评估指南》等法规、规范要加紧制定，尽快出台。
   加快信息安全等级保护管理与技术标准的制定和完善，其他现 行的相关标准规范中与等级保护管理规范和技术标准不相适应的， 应当进行调整。
   3.建设信息安全等级保护监督管理队伍和技术支撑体系。信息 安全监管职能部门要建立专门的信息安全等级保护监督检查机构， 充实力量，加强建设，抓紧培训，使监督检查人员能够全面掌握信 息安全等级保护相关法律规范和管理规范及技术标准，熟练运用技 术工具，切实承担信息安全等级保护的指导、监督、检查职责。同 时，还要建立信息安全等级保护监督、检查工作的技术支撑体系， 组织研制、开发科学、实用的检查、评估工具。
   4.进一步做好等级保护试点工作。选择电子政务、电子商务以 及其他方面的重点单位开展等级保护试点工作，并在试点工作的基 础上进一步完善等级保护实施指南等相关的配套规范、标准和工具，积累信息安全等级保护工作实施的方法和经验。 5.加强宣传、培训工作。地方各级人民政府、信息安全监管职 能部门和信息系统的主管部门要积极宣传信息安全等级保护的相 关法规、标准和政策，组织开展相关培训，提高对信息安全等级保 护工作的认识和重视，积极推动各有关部门、单位做好开展信息安
   全等级保护工作的前期准备。
   (二)重点实行阶段。在做好前期准备工作的基础上， 用一年左右的时间，在国家重点保护的涉及国家安全、经济命脉、 社会稳定的基础信息网络和重要信息系统中实行等级保护制度。经 过一年的建设，使基础信息网络和重要信息系统的核心要害部位得 到有效保护，涉及国家安全、经济命脉、社会稳定的基础信息网络 和重要信息系统的保护状况得到较大改善，结束目前基本没有保护 措施或保护措施不到位的状况。
   在工作中，如发现等级保护的管理规范和技术标准以及检查评 估工具等存在问题，及时组织有关部门进行调整和修订。
   (三)全面实行阶段。在试行工作的基础上，用一年左 右的时间，在全国全面推行信息安全等级保护制度。已经实施等级 保护制度的信息和信息系统的运营、使用单位及其主管部门，要进 一步完善信息安全保护措施。没有实施等级保护制度的，要按照等 级保护的管理规范和技术标准认真组织落实。
   经过三年的努力，逐步将信息安全等级保护制度落实到信息安 全规划、建设、评估、运行维护等各个环节，使我国信息安全保障 状况得到基本改善。