To enhance security risk prevention and control of network and information systems in finance and other key sectors, policy documents have been issued by many industry authorities and local governments, with explicit requests for cryptography application. These documents aim to fulfil the critical role of cryptography in maintaining network and information security, and strengthen its application in different industries and regions.
Policy on cryptography application in financial industry
The People's Bank of China puts forward application requirements for the cryptographic infrastructure, financial IC cards, online banking, mobile payment and critical information systems applied by banking institutions. It is required that the institutions adopt cryptographic algorithm and product in accordance with relevant regulations and standards, and establish a safe and manageable cryptography security system. In 2016, Measures for the Administration of Bank Card Clearing Institutions was issued by the People’s Bank of China and the former China Banking Regulatory Commission. The bank card clearing infrastructure shall satisfy the requirements for the multi-level protection of national information security, use commercial code products recognized by the state cryptography authority.
It is clearly proposed by the China Securities Regulatory Commission that cryptography application should be regulated in services including online securities, online future, online fund, etc., and it should promote effective cryptographic algorithm and product in accordance with national legislation and standards.
The former China Insurance Regulatory Commission requires gradual standardization of cryptography application in electronic insurance policy, electronic certification, office systems and various insurance business systems, and it should apply cryptographic algorithm and product with conformity of national cryptographic legislation and standards, strengthen the evaluation of cryptography application, and ensure its conformity, accuracy and validity.
Policy on cryptography application in other core industries
For competent authorities involving education, public security, housing and constructions, transportation, water conservancy, health and family planning, industry and commerce, and energy etc., the general work plans were formulated on cryptography application. It is clearly proposed that cryptographic algorithm and product should be conducted in accordance with national legislation and current standards, and achieves the wide application of cryptography in their own fields.
Ministry of Education: Strengthen cryptography application in the education system providing social services, education and scientific research computer network, education management, education resources, electronic school affairs, basic education data, educational card, and other information systems.
Ministry of Public Security: Intensify cryptography application in network information systems at or above Level 3, national IT application projects, national or cross-regional network information systems, public security information network infrastructure, and information systems for government affairs.
Ministry of Finance: Interim Procedures of Government Affairs Information System on the Administration of Government Purchasing requires the implementation of relevant legislation, policies and standards in procurement demands, and the simultaneous planning, construction and operation of the cryptographic protection system with regular assessment.
Ministry of Housing and Urban-Rural Development: Strengthen the cryptography application in urban infrastructure information system, information systems for government affairs providing social services, and industrial operational and office systems.
Ministry of Transport: Enhance the cryptography application in the Electronic Toll Collection (ETC), China T-Union, online ticket selling system, mobility service system, transportation management information system, and geographic information system, etc. It is also required by the China Railway concerning areas covering the railway infrastructure network, important information system, public service platforms, etc.
Ministry of Water Resources: Improve the cryptography application in key water control projects, key water control and hydrological networks, and the Three Gorges Hydroelectric Power Station network.
Former State Administration for Industry and Commerce: The construction of security trust, management and supervision are stated.
National Energy Administration: The power system, nuclear power plant, oil and gas, and gas pipeline projects are included.
Former State Bureau of Surveying and Mapping: Satellite navigation base station, and surveying and mapping of government affairs network on public service are included.
Policy requirements on applications of cryptography in various regions
In addition to competent authorities in different industries, the policies are published for cryptography application in some provinces and cities as well.
It is clearly identified by Beijing that the funds for new cryptographic application projects would be listed into the fixed asset investment with the governments at the same level. The pre-review of its application situation is required, adding that the expense on update and operational maintaining work are incorporated into the governmental financial budgets. The Notice on the Standardized Use of Cryptography in Important Areas of Network and Information Systems was jointed issued by the General Office of the Tianjin Municipal Party Committee and the Tianjin Municipal Government.
For more information on the topic, please contact:
assistant@bestao-consulting.com