Regulations on the Administration of Security Assessment of New Technologies and New Applications for News and Information Services

Title: Regulations on the Administration of Security Assessment of New Technologies and New Applications for News and Information Services
Promulgating Entities: Cybersecurity Administration
Reference number: 
Promulgation Date: 2017-10-30
Expiration date: 
Source of text: http://news.jcrb.com/jxsw/201710/t20171030_1809978.html

Article 1: These Provisions are formulated on the basis of the "Cybersecurity Law of the P.R.C."and "Internet news information service management Provisions", so as to standardize Internet news information services' security assessment of new technology and new applications, to preserve national security and the public interest,and to protect the lawful rights and interests of citizens, legal persons, and other organizations.

Article 2: These Provisions apply to the State, provincial, autonomous region, or directly governed municipality internet information offices organization and carrying out of security assessment of new technologies and applications

Internet news information services' new technology and new applications (hereinafter "new technology and applications") as used in these provisions refers to innovative applications (including function and form of application) used to provide Internet news information services and the relevant supporting technology.

"Internet news information services' Security assessment of new technologies and applications" (hereinafter simply "security assessment of new technologies and applications") as used in these provisions, refers the activities of determining a risk level based on the the new technology or applications' media and public opinion properties, capacity for social mobilization, and the informational content security risks created by this; and reviewing and assessing their information security management systems and technological safeguard measures.

Article 3: Internet news information service providers adjusting or adding new technology or applications shall establish and complete technological safeguards for information management and security systems and security controls, and must not publish or disseminate information content prohibited by law.

Article 4: The State Internet Information Office is responsible for security assessment of new technologies and applications nationwide. Provincial, autonomous region, or directly governed municipality internet information offices are responsible for security assessment of new technologies and applications within that administrative region and on the basis of their duties.

The State, provincial, autonomous region, or directly governed municipality internet information offices may retain a third party to undertake the specific implementation of security assessments of new technologies and applications.

Article 5: Industry and professional organizations related to security assessment of new technologies and applications are to be given encouragement and support in strengthening self-discipline,and establishing and improving the quality deliberation, credibility and extent of public disclosure of security assessment services, and promoting the regulated development of the industry.

Article 6: Internet news information service providers shall establish and improve management and safeguard systems for the security assessment of new technologies and applications, and follow the requirements of these Provisions to organize their and carry out their own security assessments, to provide necessary support to the security assessments organized and carried out by the State, provincial, autonomous region, or directly governed municipality internet information offices, and promptly complete rectifications.

Article 7: In any of the following circumstances, Internet news information service providers shall organize and carry out their own security assessment of new technologies and applications,and prepare a written safety assessment report, and be responsible for the assessment results:

1) Where the application of new technology, or adjustments, have news and public opinion properties, or features with the capacity for social mobilization ;

2) Where changes in the functions of new technology or new applications, in terms of user scale, the functions attributes, the way the technology manifests, or changes in the allocation of basic resources causes major changes in its news or public opinion properties or its capacity for social mobilization.

The State Internet Information Office is to release a directory for security assessment of new technologies and applications, as a reference for internet news information service providers organizing and carrying out their own security assessments.

Article 8: Where Internet news information service providers following Article 7 of these provisions to organize and carry out their own security assessment of new technologies and applications discover that there are security risks, they shall promptly make corrections until the relevant security risks are eliminated.

The organization and carrying out of their own security assessments in accordance with Article 7 of these Provisions shall be completed before the use of new technology or adjustments.

Article 9: After Internet news information service providers organize and carry out their own security assessment of new technologies and applications in accordance with Article 8 of these Provisions, they shall report to the State, provincial, autonomous region, or directly governed municipality internet information office within 10 working days to organize and carry out a security assessment.

Article 10: In reporting to the State, provincial, autonomous region, or directly governed municipality Internet Information Office to organize and carry out security assessment of new technologies and applications, where the reporting entity is a central news unit or a unit controlled by a central news and publicity department, the State Internet Information Office is to organize and carry out the security assessment; where the reporting entity is a local news unit or unit controlled by a local department of news and publicity, the provincial, autonomous region, or directly governed municipality internet information office is to organize and carry out the security assessment; where the reporting unit is some other unit, then after that area's provincial, autonomous region, or directly governed municipality internet information office organizes and carries out a security assessment, the assessment materials and comments are to be sent to the State Internet Information Office to review and then form a security report.

Article 11: Internet news information service providers reporting to the State, provincial, autonomous region, or directly governed municipality internet information offices to organize and carry out security assessment of new technologies and applications, shall provide the following materials, and bear responsibility for the veracity of the materials provided:

(1) Service Plan (including service items, service methods, form of business, scope of services, etc.);

(2) The main function of the products (services) and the primary business process, system components (main type of software and hardware systems, brand, version, deployment location, and other overviews and introductions;

(3) Information security management systems and technological safeguard measures accompanying the products (services);

(4) The report of security assessments organized and completed themselves;

(5) other materials necessary to carry out security assessment.

Article 12: The State, provincial, autonomous region, or directly governed municipality internet information offices shall organize and complete the security assessment of new technologies and applications within 45 working days of the materials being complete.

State, provincial, autonomous region, or directly governed municipality Internet Information Offices may conduct further verification or the report materials through textual confirmation, field inspections, network monitoring, and other such methods, and the service providers shall cooperate.

After the State, provincial, autonomous region, or directly governed municipality internet information office organize and complete a security assessment, they should put together a security assessment report themselves, or retain a third party to do so.

Article 13: Where the comments indicated in the report on security assessment of new technologies and applications report find that their are potential information security risks in new technology or applications, and that they are not yet able to put in place accompanying security safeguard measures, the internet news information service providers shall promptly carry out corrections until it is compliant with the requirements of laws, regulations, rules, and mandatory national standards. Before the corrections are completed, the new technology or applications to be adjusted or added shall not be used to provide Internet news information services.

Where service providers refuse to make corrections or after corrections still do not meet the requirements of law, regulations, rules, and relevant mandatory national standards, causing them to no longer be eligible for licensing, the State, provincial, autonomous region, or directly governed municipality internet information office are to order the service provider to suspend operations and make corrections within a fixed period on the basis of article 23 of the "Internet News Information Service Licenses Management Provisions"; and where they still do not meet requirements for liscensing after the period passes, temporarily suspend updating news information; where they still do not meet the licensing requirements when the validity period for their Internet News Information Service Licenses is completed, a new license is not to be issued.

Article 14: The relevant units and personnel who organize and carry out security assessment of new technologies and applications shall strictly keep secret any state secrets, commercial secrets and personal information learned of in the performance of their duties, and must not disclose, sell or illegally provide it to others.

Article 15: The State, provincial, autonomous region, or directly governed municipality internet information office shall establish an active monitoring and management system strengthen the monitoring and inspection of new technologies and applications, strengthen information security risk management, and guide enterprises in implementing entity responsibility.

Article 16: Where Internet news information service providers fail to follow these Provisions in conducting a security assessment, violating the "Internet News Information Service Management Provisions", the State and local internet information offices are to give sanctions in accordance with law.

Article 17: These Provisions apply by reference to applications to provide Internet news information services reported to the State or provincial, autonomous region, or directly governed municipality internet information offices to organize and carry out a security assessment of new technologies and applications.

Article 18: These Provisions take effect on December 1, 2017.