The reporter learned that the science and Technology Bureau of the CSRC recently organized industry institutions to draft the guidance on network security level protection of the securities and futures industry (Draft for comments), which was printed and distributed by the industry self discipline association to all securities and futures operating institutions for comments.
The work guidelines are applicable to "core institutions" and "operating institutions". "Core institutions" refer to the core institutions of the securities and futures market that undertake the public functions of the securities and futures market and the operation of the information technology public infrastructure of the securities and futures industry, such as securities and futures trading places and securities registration and clearing institutions, and their subordinate institutions that undertake the above related functions; "Operating institutions" refer to securities companies, futures companies, fund management companies and their subordinate institutions providing securities and futures related services, securities and futures service institutions and other securities and futures operating institutions.
The grading basis shows that the security protection level of the network and information system of the securities and futures industry shall be graded according to the damage degree caused by national financial security, social order and the legitimate rights and interests of investors after network security events such as abnormal service capacity or data damage and leakage of the network and information system, which shall be divided into five levels. Among them, in principle, the security protection level of networks and information systems that will cause particularly serious damage to national financial security after network security events is set as level 5; In principle, the security protection level of networks and information systems that will cause serious damage to national financial security or particularly serious damage to social order shall not be lower than level 4.
In principle, the security protection level of networks and information systems that will cause general damage to national financial security, serious damage to social order, or particularly serious damage to the legitimate rights and interests of investors shall not be lower than the third level. Specifically include: industry key information infrastructure; Bidding trading system and quotation system of securities and futures trading places; The settlement system of the securities registration and settlement institution; Networks and systems of core institutions carrying core production businesses such as trading and settlement; The website system of the core organization carrying the statutory information disclosure business; Real time trading system and relevant market system with more than 100000 registered trading users; Non real time trading system with more than 1 million registered trading users; Non trading business systems with more than 10 million registered users or stored user information.
In principle, the security protection level of networks and information systems that do not cause damage to national financial security, but will cause general damage to social order and serious damage to the legitimate rights and interests of investors shall not be lower than the second level. Specifically, it includes: non competitive trading system and market system of securities and futures trading place; The core organization carries the system related to non core production business; Portal system; Internet Oriented mail system; Relevant systems for trade associations to provide services to members, practitioners and investors; Real time trading system and relevant market system with less than 100000 registered trading users; Non real time trading system with less than 1 million registered trading users; Non trading business systems with less than 10 million registered users or stored user information.
In addition, after a network security incident, it will not cause damage to the national financial security and social order, but will cause general damage to the legitimate rights and interests of investors. In principle, the security protection level of the network and information system is set as the first level, including the internal comprehensive office system, operation and maintenance management support system, etc.
It should be noted that the information system running across provinces or across the country must be filed with the public security organ. Among them, the network and information systems of the core institutions and operating institutions in Beijing affiliated to the central government that are networked across provinces or across the country shall be filed with the Network Security Bureau of the Ministry of public security, and other systems shall be filed with the Beijing municipal public security organ. The information systems of other core institutions and operating institutions in Beijing shall be filed with the Beijing municipal public security organ.
For the network and information system operated by the cross provincial network or national unified network of core institutions and operating institutions not in Beijing, the core institution shall be filed with the public security organ of its place of registration, and the operating institution shall be filed with the local public security organ of the jurisdiction where the company is located; Other networks and information systems shall be filed with the provincial, municipal or district / county public security organs where the system is located.
(China Securities Journal)
