The China Cybersecurity Law demonstrates China’s determination to take a more effective and coordinated approach to safeguard cyberspace as part of China’s National Security Initiative. The law applies to the construction, operation, maintenance and use of information networks, and the supervision and administration of cybersecurity in China.
Many of the obligations under the law apply to “network operators,” which are widely defined to include owners, administrators and network service providers who use networks owned or administered by others to provide relevant services. This includes, but is not limited to, telecommunication operators, network information service providers and important information system operators.
Also subject to stringent requirements under the law are “critical information infrastructure operators,” which include critical industries such as public communication, media, energy, transportation, financial services, public utilities, medical, social welfare, military and government affairs, as well as network service providers with a significant number of users.
Since the Cybersecurity Law took effect on 1 June 2017, the regulators have not hesitated or delayed enforcement efforts across China, although certain important implementing rules are still in the pipeline.
Enterprises will face more challenges to comply with the law and the detailed regulations, especially as the scope was widened to span network operation security, content security, network monitoring and incident response reporting to authorities. Some initial challenges include:
- Increased obligations to adhere to the law, including safeguarding network security, cooperating with inspections, and related social responsibilities and business ethics.
- More stringent regulations and requirements. For instance, security assessment is required before the cross-border transfer of personal sensitive data.
- Additional consequences. Organizations and individuals (including those from foreign countries) found guilty of attacking China’s critical infrastructure are subject to punishment specified by the law.
- Government authorities will have the right to shut down or limit network communications in the event of security emergencies.
In view of these developments, ISACA has published the Guide to China’s Regulatory Cybersecurity Implementation Framework to enable practitioners and enterprises to gain an understanding of the China Cybersecurity Law and its implementation.
This guide summarizes the structure and content of the China Cybersecurity Law, the key points for implementation and a recommended approach for gap analysis. A structured step-by-step approach would enable practitioners and enterprises to determine whether their organization is part of the critical information infrastructure as defined by the law. Furthermore, the guide offers the necessary security controls measures for both network operators and critical information infrastructure operators, including suggested management and technical controls illustrations.
The National Institute of Standards and Technology (NIST) and ISACA have accumulated extensive experience in promoting the implementation of the NIST Cybersecurity Framework. Therefore, this guide also uses the NIST Cybersecurity Framework implementation process and the ISACA implementation process based on COBIT 5 as references for practitioners and enterprises to implement cybersecurity systems. Users can create new cybersecurity plans or improve existing plans by referencing the NIST framework when implementing the China Cybersecurity Law – and ultimately, establish a healthy cybersecurity system marked by continuous improvement.