On August 31, 2017, the National Information Security Standardization Technical Committee of China published four draft voluntary guidelines (“Draft Guidelines”) in relation to the Cybersecurity Law of China. The Draft Guidelines are open for comment from the general public until October 13, 2017.
Information Security Technology – Guidelines for Cross-Border Transfer Security Assessment: Compared with the first draft published in May, the second Draft Guidelines add new definitions of certain terms, such as “domestic operations,” “cross-border data transfer” and “assessment by competent authorities.” According to these Draft Guidelines, a network operator that is not registered in China would still be deemed to be conducting “domestic operations” if it conducts business within the territory of China, or provides products or services within the territory of China. Even if the data collected by a network operator is not retained outside of China, there could still be a cross-border transfer of the data if overseas entities, institutions or individuals are able to access the data remotely. These Draft Guidelines provide separate assessment procedures for self-assessments and assessments by competent authorities. A security assessment would focus on the purpose of the proposed cross-border transfer, with reference to the legality, appropriateness and necessity of the transfer, and the security risks involved in the transfer.
Information Security Technology – General Security Requirements for Network Products and Services: This document provides both general security requirements and enhanced security requirements applicable to network products and services sold or provided within the territory of China. According to these Draft Guidelines, “network products” include computers, information terminals, basic software, system software and the like. “Network services” include cloud computing services, data processing and storage services, network communication services and the like. General security requirements under this draft include malware prevention, vulnerability management, security operating maintenance and protection of user information. Enhanced security requirements include identity verification, access controls, security audits, communication protection and certain security protection requirements.
Information Security Technology – Guide to Security Inspection and Evaluation of Critical Information Infrastructure: This document provides the procedures and substance of security inspections and evaluations of critical information infrastructure. According to these Draft Guidelines, the inspection and evaluation is divided into three methods, which include compliance inspection, technical inspection and analysis and evaluation. The key steps in a security inspection and evaluation include preparation, implementation of compliance inspection, technical inspection and analysis and evaluation, risk control and preparation of a report.
Information Security Technology – Systems of Indicators for the Assurance of the Security of Critical Information Infrastructure: This document establishes and defines indicators to be used as focal points in evaluating the security of critical information infrastructure. The indicators discussed under these Draft Guidelines include operational capacity indicator, security indicator, security monitoring indicator, emergency response indicator, etc.