Financial Crime World

China’s New Cybersecurity Regulations: Understanding General and Extended Evaluation Requirements

Enhancing National Cybersecurity in China

Beijing, China - In a move to strengthen national cybersecurity, China has released new evaluation requirements for graded protection objects, replacing the previous Information Security Technology-Testing and Evaluation Requirement for Classified Protection of Information System (GB/T 28448-2012). The new regulations aim to enhance the security posture of networks and systems in China.

Who’s Responsible?

  • The responsibility to conduct security evaluations and provide recommendations on the security state of graded protection objects falls to:
    • Competent departments
    • Operating units of graded protection objects
    • Assessment agencies

These agencies will play a crucial role in guiding network security functional departments during oversight and inspection of networks.

Basic Methodology

  • The fundamental approach for conducting a grade evaluation involves:
    • Using pertinent evaluation tools
    • Adhering to predetermined evaluation guidelines
    • Collecting necessary evidence data
    • Providing an evaluation result on whether the security protection capability of a particular grade has been attained

The evaluation object is determined by analyzing business processes and data flows, as well as the importance, safety, sharing, comprehensiveness, and appropriateness of system components.

Evaluation Methods

  • Each requirement in the Evaluation Requirements must have its own evaluation and appraisal, which includes all details related to that evaluation and assessment.
  • Approaches such as:
    • Interview
    • Verification
    • Test may be employed in the evaluation and appraisal of each requirement

Individual Assessment and Overall Assessment

  • The grade evaluation is split into individual and overall assessments.
  • Individual assessment evaluates specific aspects, including:
    • Safe physical environment
    • Communication network
    • Area boundary
    • Computing environment
    • Safety management system
    • Organization
    • Personnel
    • Center
    • Construction management
  • Overall assessment conducts comprehensive safety analysis from the perspectives of safety control points and regions.

Practical Takeaways

As China’s Data Security Law comes into effect, companies in China must comply with new obligations for data security based on the MLPS requirement. To ensure compliance:

  • Understand the requirements of MLPS 2.0 and seek guidance from outside counsel
  • Assess and identify critical systems and data
  • Implement technical, operational, and organizational measures to ensure system security
  • Undergo regular security assessments

Background

The release of the Evaluation Requirements marks a significant step in enhancing China’s cybersecurity landscape. The government has also published a list of qualified expert institutions as assessment agencies for the MLPS certification.

Conclusion

China’s new evaluation requirements aim to strengthen the security posture of networks and systems in the country. Companies operating in China must comply with these regulations to avoid potential fines and business disruptions. It is essential for companies to understand the requirements of MLPS 2.0, assess their critical systems and data, implement appropriate security measures, and undergo regular security assessments to ensure compliance.

By Todd Liao, Partner at Morgan, Lewis & Bockius LLP, Shanghai