The classified information system shall be protected in accordance with the basic requirements of the national information security level protection, the management regulations and technical standards of the classified information system of the state secrecy department, and combined with the actual situation of the system.
Non-confidential information systems shall not handle state secret information, etc.
Article 25
The classified information system is divided into three levels: secret, confidential and top secret according to the highest secret level of the information processed.
Units that construct and use classified information systems shall, on the basis of information specification and classification, determine the system level in accordance with the Administrative Measures for Classified Information System Level Protection and the National Secrecy Standard BMB 17-2006 Technical Requirements for Classified Protection of Computer Information Systems Involving State Secrets. For a classified information system with multiple security domains, each security domain can determine the protection level separately.
Security departments and institutions shall supervise and guide the construction and use of classified information systems, and accurately and reasonably classify the systems.
Article 26
The construction and use unit of the classified information system shall report the classification, construction and use of the classified information system to the competent business department and the security department responsible for system examination and approval for the record, and accept the supervision, inspection and guidance of the security department.
Article 27
Units that build and use classified information systems shall choose units with classified qualifications to undertake or participate in the design and implementation of classified information systems.
The construction and use unit of classified information system shall design the scheme according to the management norms and technical standards of classified information system, according to the different requirements of confidentiality, confidentiality and top secret, and implement classified protection in combination with the actual situation of the system. The protection level is generally not lower than the national information security protection level 3, 4 and 5.
Article 28
In principle, information security products used in classified information systems should be made in China, and testing institutions authorized by the State Secrecy Bureau should conduct testing in accordance with relevant national security standards. The products that pass the test should be reviewed and published by the State Secrecy Bureau.
Article 29
After the implementation of the system engineering, the construction and use unit of the classified information system shall apply to the secrecy department, and the system evaluation institution authorized by the State Secrecy Bureau shall conduct security evaluation on the classified information system in accordance with the national secrecy standard BMB22-2007 "Evaluation Guide for Grade Protection of Computer Information Systems Involving State Secrets".
Before the system is put into use, the construction and use unit of the classified information system shall, in accordance with the Provisions on the Administration of Examination and Approval of State Secret Information Systems, apply to the secrecy department at or above the municipal level with districts for system examination and approval. Only after passing the examination and approval can the classified information system be put into use. For the classified information system that has been put into use, the construction and use unit shall, after completing the rectification of the system in accordance with the requirements of classified protection, file with the security department.
Article 30
The construction and use of confidential information systems shall submit the following materials when applying for system approval or filing:
(a) system design, implementation plan and review opinions;
(2) Qualification certification materials of the system contractor;
(three) system construction and project supervision report;
(four) the system safety inspection and evaluation report;
(five) the system security organization and management system;
(6) Other relevant materials.
Article 31
When the classification, connection scope, environmental facilities, main applications, and units responsible for security and confidentiality management of classified information systems change, the construction and use units shall promptly report to the security department responsible for examination and approval. The security department shall, according to the actual situation, decide whether to re-evaluate the approval.
Article 32
Units that construct and use classified information systems shall, in accordance with the national confidentiality standard BMB20-2007 "Management Standard for Grade Protection of Information Systems Involving State Secrets", strengthen the confidentiality management in the operation of classified information systems, conduct regular risk assessments, and eliminate hidden dangers and loopholes in disclosure.
Article 33
National and local secrecy departments at all levels shall supervise and manage the hierarchical protection of classified information systems in various regions and departments according to law, and do the following work well:
(a) to guide, supervise and inspect the development of grade protection work;
(two) to guide the construction and use of classified information systems, standardize information classification, and reasonably determine the protection level of the system;
(three) to participate in the demonstration of the classified information system level protection scheme, and to guide the construction and use units to do a good job in the synchronous planning and design of confidential facilities;
(four) to supervise and manage the qualification units of classified information system integration according to law;
(five) strict implementation of system evaluation and approval, supervision and inspection of the implementation of the level protection management system and technical measures of the users of classified information systems;
(six) to strengthen the supervision and inspection of the operation of confidential information systems. Secret and confidential information system at least once every two years, top secret information system at least once a year;
(seven) to understand the management and use of all kinds of classified information systems at all levels, and to find and investigate all kinds of illegal leaks in a timely manner.
Extended data:
In order to standardize the management of information security level protection, improve the ability and level of information security, safeguard national security, social stability and public interests, and ensure and promote the informatization construction, these measures are formulated in accordance with the Regulations of People's Republic of China (PRC) on the Security Protection of Computer Information Systems and other relevant laws and regulations. No.200743 of the four ministries and commissions was issued.
References:
Baidu Encyclopedia-Measures for the Administration of Information Security Level Protection