Security protection obligations performed by critical information infrastructure:
(1) Set up a special security management organization and security management person in charge, and provide security background for the person in charge and key positions Review;
(2) Conduct network security education, technical training and skill assessment for practitioners on a regular basis;
(3) Carry out disaster recovery backup of important systems and databases;
(4) Develop emergency plans for network security incidents and conduct regular drills;
(5) Take measures such as data classification, backup and encryption of important data;
(6) ) Formulate internal security management systems and operating procedures, determine the person in charge of network security, and implement network security protection responsibilities; (7) Take technical measures to prevent computer viruses, network attacks, and network intrusions that endanger network security ;
(8) Take technical measures to monitor and record network operation status and network security incidents, and keep relevant network logs for no less than six months in accordance with regulations;
(9 ) Other obligations stipulated by laws and administrative regulations.
Critical Information Infrastructure Operators
The identification of Critical Information Infrastructure Operators (CIIO) needs to pass the key designated Information infrastructure identification guide. National industry supervisors or regulatory authorities shall identify the critical information infrastructure of the industry in this field in accordance with the guidelines for the identification of critical information infrastructure.
Once the network facilities and information systems operated and managed are damaged, lost functions or data leaks, in violation of the network security law, which may seriously endanger national security, national economy, people’s livelihood, and public interests, they belong to critical information infrastructure , Should be included in the scope of protection.
Cybersecurity review
Whether the suppliers of network products and services need to apply for cybersecurity review. The answer is: no need. However, companies that provide network products and services to CII operators have the obligation to cooperate with the network security review, including signing procurement documents, agreements, and contracts that contain the content of the network security review, and providing materials and supplementary materials.
When vendors sell network products and services to CII operators, they should pay attention to the requirements of network security review such as procurement documents, agreements, and contracts to be signed, including:
( 1) Promise not to use the convenience of providing products and services to illegally obtain user data;
(2) Not to illegally control and manipulate user equipment;
(3) Not to interrupt without justified reasons Product supply or necessary technical support services, etc.
CIIO combined the pre-judgment guidelines to put forward a national security risk assessment. The member units of the cyber security review mechanism can also initiate active reviews of network products and services. Usually the security review is completed within 45 working days, and complicated cases are extended by 15 days.
Scope of cyber security review
Network products and services that fall within the scope of review refer to core network equipment, high-performance computers and servers, large-capacity storage devices, large databases and application software, Network security equipment, cloud computing services, and other network products and services that have an important impact on the security of critical information infrastructure.