Policies, regulations, classification and filing procedures for information system classification protection (equal Protection)
What is Information System Classification Protection (Equal Protection)
Information system classification protection refers to the implementation of security protection at different levels for state secret information, proprietary information of legal persons or other organizations and citizens, as well as information and information systems that store, transmit and process such information. It also involves the management of security products used in information systems at different levels and the response and handling of information security incidents occurring in information systems at different levels.
Graded protection(Equal ProtectionPolicies and regulations
In 1994, the "Regulations of the People's Republic of China on the Security Protection of Computer Information Systems" (State Council Decree No. 147) first proposed the concept of "implementing security classification protection for computer information systems".
In 1999, the "Criteria for the Classification of Security Protection Levels of Computer Information Systems" (GB17859) was issued by the state as a mandatory standard for the classification of security protection levels of computer information systems.
The "Information Security Technology - Basic Requirements for Security Level Protection of Information Systems" (GB/T 22239-2008) in 2008 clearly stipulates the basic requirements for security protection of information systems at all levels.
Article 21 of the Cybersecurity Law of the People's Republic of China in 2017 clearly stipulates that the state implements a classification protection system, and the implementation of the classification protection system has been elevated to the legal level.
In May 2019, core standards such as "Information Security Technology - Basic Requirements for Cybersecurity Level Protection" and "Information Security Technology - Requirements for Cybersecurity Level Protection Evaluation" were officially released.
Classification/Grading of level protection (Equal Protection)
It is divided into five levels in total, and the security capability gradually increases from level one to level five. All departments and units should apply for relevant level filing certificates in accordance with the implementation guidelines for level protection and related standards.
At the first level (user Autonomous protection level), if an information system is damaged, it will cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, but will not harm national security, social order and public interests. The operation and use units of the first-level information system shall protect it in accordance with relevant national management norms and technical standards.
At the second level (System Audit protection level), if an information system is damaged, it will cause serious harm to the legitimate rights and interests of citizens, legal persons and other organizations, or cause damage to social order and public interests, but will not endanger national security. The national information security regulatory department provides guidance on the security classification protection work of information systems at this level.
At the third level (Security Marking Protection level), if an information system is damaged, it will cause serious harm to social order and public interests, or to national security. The national information security regulatory department supervises and inspects the security level protection work of the information system at this level.
At the fourth level (Structured protection level), if an information system is damaged, it will cause particularly serious damage to social order and public interests, or cause serious damage to national security. The national information security regulatory department conducts mandatory supervision and inspection over the security level protection work of information systems at this level.
At level five (Access Verification Protection Level), if an information system is compromised, it will cause particularly serious damage to national security. The national information security regulatory department conducts specialized supervision and inspection over the security level protection work of information systems at this level.

The filing process for the classification protection (Equal Protection)
1. System classification: For enterprises/units, determine the security protection level and prepare the classification report
2. System filing: Enterprises/units should prepare relevant materials and file with the local public security organ. The local public security organ reviews and accepts the filing materials
3. Construction and rectification: Enterprises/units should establish safety technology and management systems that meet the grade requirements
4. Grade assessment: Enterprises/institutions prepare for and accept assessment by assessment institutions; The evaluation agency assesses the compliance status of the system level, evaluates the system and scores it
5. Supervision and inspection: Enterprises/units shall accept regular inspections by public security organs. Public security organs supervise and inspect the operation units to carry out the work of classification protection

Materials should be prepared for filing
1. System security organization structure, three-person review form (system development and construction personnel, maintenance personnel, and management personnel), management system and emergency response plan. The safety organization structure includes the name of the institution, the person in charge, the members, and the division of responsibilities, etc. The management system includes safety management norms, charters, etc., which must be signed and sealed by the unit and in electronic form.
2. Design implementation plan or renovation implementation plan for system security protection facilities, description of system topology structure, list of security products and certificates. (A brief safety construction and rectification plan, with the signature and seal of the unit and an electronic version)
3. The "Information System Security Level Protection Filing Form" (hereinafter referred to as the "Filing Form"), in paper form, in duplicate. It includes: "Basic Information of the Unit" (Table 1), "Information System Situation" (Table 2), "Information System Classification Situation" (Table 3), and "Materials Submitted by Information Systems at Level Three and Above" (Table 4). When filing for information systems at or above the second level, Forms One, Two and Three in the "Filing Form" need to be submitted. Information systems at or above the third level shall also submit Form 4 of the "Filing Form" and related materials (with the signature and seal of the unit and electronic version) within 30 days after the completion of system rectification and assessment.
4. "Information System Security Level Protection Classification Report" (hereinafter referred to as the "Classification Report"), in paper form, in duplicate. Each registered information system must provide a corresponding "Grading Report". The "Grading Report" should be filled out in accordance with the template format (with the signature and seal of the unit and an electronic version).
