The term "information system" as mentioned in these Measures refers to an operating system consisting of computers, information networks and their supporting facilities, which stores, transmits and processes information according to certain application objectives and rules. Article 5 The graded protection of information security shall follow the principles of graded implementation, clear responsibilities and ensuring security. Focus on ensuring the security of all kinds of information and the continuity of information processing in basic information networks and important information systems.
The information system shall, in accordance with the requirements of information security level protection, implement the principles of synchronous construction, dynamic adjustment and whoever operates shall be responsible. Article 6 The people's governments at or above the county level shall strengthen their leadership over information security level protection, incorporate information security level protection into information construction planning, coordinate and solve major related problems, and establish necessary funding and technical guarantee mechanisms. Seventh people's governments at or above the county level public security, national security, confidentiality, password, information and other administrative departments shall perform their duties of supervision and management in accordance with the provisions of the state and these measures.
Other relevant departments of the people's governments at or above the county level shall, in accordance with the division of responsibilities, implement the management responsibility of information security level protection and cooperate with relevant work. Chapter II Classification and Implementation of Classified Protection Article 8 According to the importance of information carried by an information system, the dependence of business processing on the system and the harm to the economy and society after the system is destroyed, the corresponding protection level of the information system is determined.
The protection level of information system is divided into the following five levels:
(1) The information carried by the information system involves the rights and interests of citizens, legal persons and other organizations. After the information system is damaged, it can directly change its business through other means, which has a certain impact on the rights and interests of citizens, legal persons and other organizations, but does not endanger national security, social order, economic construction and public interests, which is the first-class protection and is independently protected by the operating unit;
(2) The information carried by the information system directly involves the rights and interests of citizens, legal persons and other organizations. If the information system is damaged, which affects the normal operation of business and causes certain damage to national security, social order, economic construction and public interests, it belongs to secondary protection, and the operating unit will protect it under the guidance of the information security level protection supervision department;
(three) the information carried by the information system involves the interests of the state, society and the public. If the information system is destroyed, it will seriously affect the normal operation of business and cause great damage to national security, social order, economic construction and public interests. It is a three-level protection, and the operating unit will protect it under the supervision of the information security level protection supervision department;
(4) The information carried by the information system directly relates to the national, social and public interests. After the information system was destroyed, the business could not be handled normally, which caused serious damage to national security, social order, economic construction and public interests. It is a four-level protection, and the operating unit will protect it according to the mandatory requirements of the information security level protection supervision department;
(5) The information carried by the information system is directly related to national security, social stability, economic construction and operation. If the information system is destroyed, it will cause particularly serious damage to national security, social order, economic construction and public interests. It is a five-level protection, and the operating unit will protect it under the exclusive control of specialized departments and specialized agencies designated by the state. Ninth information system construction, operation and use of units shall, in accordance with the relevant national technical norms and standards and the provisions of Article 8 of these measures, independently choose the corresponding protection level of their information systems.
The protection level of basic information network and important information system, the construction unit shall, in the planning and design of information system, report to the examination and approval in accordance with the provisions of Article 10 of these Measures. Tenth basic information network and important information system protection level, the implementation of expert evaluation system.
The competent departments of information technology in provinces and cities with districts shall set up expert review groups on the protection level of information systems in provinces and cities respectively, and organize the examination and approval of the protection level of basic information networks and important information systems involving the whole province and the whole city respectively. The specific rules for declaration and approval shall be formulated by the provincial information administrative department in conjunction with the provincial public security department and reported to the provincial people's government for the record. Article 11 For an information system containing multiple subsystems, the protection level shall be determined according to the importance of each subsystem. Twelfth after the completion of the information system construction, its operation and use units shall conduct safety assessment in accordance with the relevant national technical specifications and standards, and can be put into use only after meeting the requirements.