环球律师事务所. Ren Qing Partner GLOBAL LAW OFFICE. Beijing, June
|
|
- Moris Bell
- 5 years ago
- Views:
Transcription
1 An Introduction to the PRC Cyber Security Law 环球律师事务所 GLOBAL LAW OFFICE Ren Qing Partner Beijing, June 2017
2 Overview: 7 Chapters and 79 Articles. Chapter I General Provisions Cyber Security Law of the People's Republic of China Chapter II Support to and Promotion of Network Security Chapter III Network Operation Security Section I General Stipulations Section II Operation Security of Critical Information Infrastructures Chapter IV Network Information Security Chapter V Monitoring, Early Warning and Emergency Response Chapter VI Liabilities Chapter VII Supplementary Provisions 2
3 Scope of Application Article 2 This Law shall apply to the construcon, operation, maintenance, and use of networks as well as the supervision and administration of network security within the territory of the People's Republic of China. Network : any system that is composed of computers or other information terminals and relevant equipment and that collect, store, transmit, exchang, and process information according to certain rules and procedures. within the territory of PRC e.g., mobile phone, ipad In principle this Law does not apply to foreign persons/entities which provide services utilizing network facilities located overseas, except that : If any information originating from outside of the PRC is prohibited from publication or transmission under the PRC laws and/or administrative regulations, the PRC authority may take technical measures and other necessary measures to block its transmission. Any foreign persons/entities that engages in the activities of attacking, intruding, disturbing, damaging or otherwise endangering the critical information infrastructures, resulting in serious consequences, shall bear liabilities; the PRC authority may decide to adopt measures of freezing property or other necessary sanctions against such institution, organization or individual. Who is subject to the law? network operators, i.e. owners and administrators of networks and network service providers. Network service provider covers a wide range of entities that provide service through networks, including not only internet enterprises that mainly provide on-line services, e.g. e-commerce platform, web portal, APP, self-media etc., but also traditional off-line business that provide network services. Suppliers of network products. Users of networks. they are prohibited from stealing PI or publishing illegal information etc. 3
4 Regulatory Framework Cyberspace Administration of China (CAC ) is responsible for comprehensive arrangement and coordination of work in connection with network security and relevant supervision and administration. Minister of Industry and Information Technology (MIIT ) and Ministry of Public Security and other relevant departments under the State Council are responsible for the security protection, supervision and regulation within their respective competences in accordance with the provisions of this Law and relevant laws and administrative regulations. Other relevant departments include NDRC, Ministry of State Security, Ministry of Finance, Ministry of Communication, MOFCOM, People s Bank of China, AQSIQ, National Energy Administration, etc. 4
5 Operation Security: General Provisions (I) The State implements a system of hierarchical protection of network security. Network operators shall, in accordance with the hierarchical protection system, fullfill the following obligations: formulating internal security management system and operating procedures, designating responsible person(s) in charge of network security, and implementing responsibility for network security protection; adopting technical measures to prevent computer virus and activities endangering network security such as network attack and network intrusion; adopting technical measures for monitoring and recording network operation status and network security incidents and keeping relevant network logs for at least 6 months in accordance with relevant provisions; adopting measures such as data classification, back up and encryption of important data; and Real-Name System:Network operators shall, when providing network access, domain name registration, access formalities for fixed-line telephone or mobile phone, or the service of information release and instant messaging etc., require users to provide authentic identity information. 5 tiers in total. See Administrative Measures for Hierarchical Protection of Information Security (2007) some of the following obligations may be irrelevant to some networks. Network operators shall formulate emergency response plan for network security incidents; in event of network security incidents, they shall report to competent authorities in accordance with relevant provisions. Network operators shall provide technical support and assistance to the public security / state security organs during their activities of protecting national security and investigating crimes in accordance with the Law. 3
6 Operation Security: General Provisions (II) Providers of network products and services shall not set up malicious programs shall immediately take remedial measures and promptly notify users and report to competent authorities in accordance with relevant provisions, when they discover security defects, loopholes, and other risks in their network products and/or services; shall provide security maintenance of their products and/or services on a continuous basis and shall not terminate security maintenance within the period as prescribed or agreed upon by the parties; shall clearly indicate to users and obtain their approval if the products and/or services are capable of collecting user information; where user's personal information is concerned, shall also comply with provisions regarding personal information protection of this Law, other relevant laws and administrative regulations. Where compulsory national standards apply, network products and network services shall comply with such compulsory requirements. 8
7 Information Security: Obligations of Network Operators (I) Network Operators shall keep users information (broader than personal information) they have collected stricty confidential. Personal information (PI): Collection and use of PI shall be subject to the principles of legality, legitimacy, and necessity; network operators shall: Shall publicize the rules and explicitly indicate the purpose, method and scope of the collection and use, and obtain approval from those whose PI is collected. Shall not collect PI irrelevant to the services they provide, or to collect and/or use PI in violation of laws and administrative regulations and the agreements of the parties. shall not divulge, tamper with, or damage the PI they have collected; shall not provide to others such PI without consent of those from whom the information is collected, except for the information that has been processed and cannot be recovered and through which no particular individual can be identified. shall take technical measures and other necessary measures to ensure the security of the PI they have collected and prevent it from being divulged, damaged or lost. Further Reading: SPC-SPP Joint Judicial Interpretation on Several Issues regarding Criminal Cases of Personal Information Infringement.
8 Information Security: Obligations of Network Operators (II) Information management obligations: When discovering information published by users is prohibited from publication or transmission by laws and administrative regulations, network operators shall immediately stop the transmission of such information, take measures such as removal to prevent the spread of the information, keep records and report to competent authorities. electronic information delivery service providers and application software downloading service providers who are aware that electronic information sent by or applications provided by users contain malicious programs or contain information prohibited from publication or transmission, shall cease to provide services, take measures such as removal, keep records and report to competent authorities. Obligations to cooperate with supervision and inspections of the authorities.
9 Critical Information Infrastructure (CII) Scope of CII The State shall, on the basis of system of hierarchical protection of network security, give priority to the protection of CIIs in important industries and fields such as public communications and information services, energy, transportation, water conservancy, finance, public services, and e-government affairs, and other CIIs that may endanger national security, people's livelihood and public interests, in case of damage, disfunction or data leakage. The detailed scope of and implementing measures of CII protection shall be formulated by the State Council. Additional obligations of CII operators: In principle, CIIs are to be determined within the networks at Tier Three and above set up special security management departments and person in charge, and conduct background check of the person in charge and persons in key positions; carry out network security education, technical training and skill assessment for the personnel on a regular basis; carry out disaster recovery back up of important systems and database; Not every information networks in these industries constitutes CII. A draft is expected to be published soon for soliciting public comments; besides, specific guiding documents and standards will be formulated. formulate emergency response plans for network security incidents and conducting drilling on a regular basis Purchase of network products and services:national security review (see latter slides); confidentiality agreement. PI and important data:be stored within the PRC territory; security assessment before being transmitted abroad (see latter slides). Others: security assessment at least once a year; priorities of regulation by the authorities (e.g. random inspection, emergency drilling).
10 Security Review for Network Products and Services(I) Measures for Security Review of Network Products and Services (For Trial Implementation). Scope of the Review:Important network products and services purchased for the network and information system concerning national security. Specifically, network products and services purchased by CII operators that may affect national security. Content of the Review:security and controllability of network products and services, mainly including: security risks of the products and services themselves and the risks of they being illegally controlled, interfered with and interrupted from operation; security risks in the supply chain of products and key components in the course of their production, testing, delivery and technical support; To be determined by the departments in charge of CII protection. risks of illegal collection, storage, process or use of relevant user information by products and services providers taking advantage of their convenient positions; and risks of products and services providers impairing the network security and the interests of users by taking advantage of users' reliance on their products and services.
11 Security Review for Network Products and Services(II) Mechanism of the Review: Review Committee: led by CAC, joined by NDRC, MIIT, MPS, MSS, MOF, MOC, MOFCOM, PBS, AQSIQ, NEA, etc. Expert Committee: experts nominated by relevant departments and appointed by the Review Committee Review Office: currently assumed by China Information Security Certification Center ( ISCCC ) Third Party Institution:selected from existing national-level network security technical institutions MIIT, MOC, PBS, NEA may establish review taskforce to carry out security assessment of specific industries. Procedure of the Review: Determine the subject of review: ministries may recommend the Review Committee to initiate review; when national industrial associations so recommend or users request, the Committe will determine whether to initiate review. Third party evaluation: a third party institution selected, through laboratory testing, onsite inspection, online monitoring, background investigation etc., make evaluation on the security and controllability of the products/services. Expert Evaluation: Expert Committee conducts comprehensive evaluation based on the third party evaluation results and formulate draft conclusions of the review. Conclusion of review: having been approved, conclusions will be published or notified within certain range.
12 Data Storage and Export (I) A draft Measures on Security Assessment of the Cross-Border Transmission of Personal Information and Important Data has been published. PI and important data collected or generated by CII operators within the PRC territory shall be within China. If it is necessary to provide the data abroad out of operational needs, security assessment shall be conducted. Scope of application: The draft extended to all network operators and stipulated analogical application to other individuals and organizations (Article 16). It is reported the Article 16 has been deleted; besides, according a CAC statement on May 31, data localization might only apply to CII operators. PI:refers to various types of information, recorded electronically or in other forms, that can be used alone or in combination with other information to identify a natural person, including but not limited to name, date of birth, identity certificate number, personal biological identification information, address, telephone numbers etc. (Article 76 of Cyber Security Law) A judicial interpretation further clarifies as: various types of information that can be used alone or in combination with other information to identify a natural person or to indicate the movement/location thereof, including but not limited to name, identity certificate number, contact information, address, account and password, financial status, and physical location information, etc. Relevant national standards: Personal Information Security Standards are under development. Important Data:data closely related to national security, economic development and public interests; in another word, data that are important for a company are not necessarily important data. Identification Guidance for Important Data will soon be released. Provide Abroad (Export):Provide PI and important data in electronic form to overseas institutions, organizations and individuals.
13 Data Storage and Export (II) Self-Assessment: Network operators or CII operators shall conduct data export security assessment depending on the type, quantity, and importance of the data export. In event of major changes in the purpose, scope, type, quantity etc., of data export, changes in data receiver, or the occurrence of significant security incidents, re-assessment shall be conducted in time. The Draft prescribes that self-assessment shall be conducted at least once a year. It is sais this has been deleted. Security Assessment by authorities (industry administrative, supervisory departments or CAC) is required if: The export contains or in aggregate contains PI of more than 500,000 persons; the data exported exceeds 1,000 gigabytes (reported to have been deleted) Data that contain information with respects to nuclear facilities, chemical biology, national defense, public health; large-scale project activities, marine environments, sensitive geographic information; and cybersecurity information regarding CII s system vulnerabilities and specific protection measures etc. Operators of CII transmitting PI and important data abroad(reported to have been deleted) other circumstances that may potentially affect national security and the social public interests
14 Data Storage and Export (III) Guidance for Data Export Security Assessment is under development. Data Export Security Assessment shall focus on: legality, legitimacy, and necessity of the data export; PI involved, including its quantity, scope, type, sensitivity and the consent from the information subject etc.; important data involved, including its quantity, scope, type, etc.; security protection ability, measures and environments of the data receiver; risks of divulgence, damage, alteration or misuse of the data transmitted abroad and further transferred; potential risks to national security, social and public interest, and legitimate personal interests arising from the export. Conclusion of Assessment:the data cannot be exported: If the export is in violation of relevant state regulations; where the subject of the PI has not consented to the export of such PI; where the export of data poses risks to national politics, economy, technology, national defense, etc. and may affect national security or impair social public interests; in others circumstances determined by the national internet information departments, public security departments, state security departments etc.
15 Critical Network Equipment and Dedicated Network Security Product Critical network equipment and dedicated network security products can be sold or provided only if they have pass security certification or security testing conducted by qualified institutions (e.g. ISCCC) in accordance with the compulsory requirements of national standards. CAC shall, in conjunction with MIIT, MPS and CNCA, formulate and promulgate the catalogue of critical network equipment and dedicated network security products. The first batch of catalogue is expected to be promulgated soon. Equipment and products listed in the catalogue shall obtain security certification or pass the security testing; those that have been previously certified need not undergo certification or testing before the expiration of that certification.
16 Advice to Enterprises The Cyber Security Law has a broad scope of application. Severe liabilities may be incurred under the Cyber Security Law: Fines, confiscation of illegal gains, suspension of business for rectification, revocation of business license or operating certificate, criminal liabilities Institution + individual Provisions of the Cyber Security Law and even its implementing rules are rather general or ambiguous, requiring more specific rules, standards or guidelines to be formulated: hierarchical protection of network security CII Protection Network Security Review Data Storage and Export Recommendations: Attach much importance to cybersecurity compliance; Keep close attention to relevant rules, normative documents and national standards to be promulgated; Seek professional advice when necessary.
17 Further Reading: Other Relevant Laws and Regulations Criminal Law (2015 revised) Law on Penalties for Administration of Public Security (2005) Electronic Signature Law (2005) State Security Law (2015) Decision on Preserving Computer Network Security (2000) Decision on Strengthening Network Information Protection (2012) Telecommunications Regulation (2016 revised) Regulations for Safety Protection of Computer Information Systems (2011 revised) Administrative Measures on Internet Information Services (2011 revised) SPC-SPP Joint Judicial Interpretation on Several Issues regarding Criminal Cases of Personal Information Infringement. MPS s Administrative Measures for Hierarchical Protection of Information Security (2007) MPS s Administrative Measures for Protection of the Security of International Internetworking of Computer Information Networks (2011) MIIT s Administrative Measures for the Security Protection of Communication Networks (2010) MIIT s Provisions on Protecting the Personal Information of Telecommunications and Internet Users (2013) 17
USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036
US-China Business Council Comments on The Draft Measures for Security Review of Online Products and Services March 6, 2017 On behalf of the more than 200 members of the US-China Business Council (USCBC),
More informationChina s New Cybersecurity Law
China s New Cybersecurity Law March 7, 2017 Presented by: Manuel E. Maisog Hunton & Williams LLP Beijing, China bmaisog@hunton.com Hunton & Williams Global Privacy & Cybersecurity Team Known globally for
More informationChina s New Cybersecurity Law: Data Protection, Data Transfer and Breach Investigations in the World s Second Largest Economy
China s New Cybersecurity Law: Data Protection, Data Transfer and Breach Investigations in the World s Second Largest Economy IPSF 2018 February 26, 2018 1 1 AGENDA China's Cybersecurity Law Enforcement
More informationRegulations for Compulsory Product Certification
Regulations for Compulsory Product Certification Chapter I General Provisions Article 1 Based on relevant laws and regulations covering product safety licensing and product quality certification so as
More informationUnofficial English translation offered by EuropElectro, for reference only
Ref. No. CNCA-00C-007 DETAILED IMPLEMENTATION RULES FOR COMPULSORY PRODUCTS CERTIFICATION Submission, Dissemination and Publication of Information Issued on Jan. 8, 2014 Implemented on Jan. 8, 2014 Published
More informationCHAPTER 13 ELECTRONIC COMMERCE
CHAPTER 13 ELECTRONIC COMMERCE Article 13.1: Definitions For the purposes of this Chapter: computing facilities means computer servers and storage devices for processing or storing information for commercial
More informationDATA PROTECTION LAWS OF THE WORLD. China
DATA PROTECTION LAWS OF THE WORLD China Downloaded: 14 June 2018 CHINA Last modified 29 January 2018 LAW Currently, there is not a comprehensive data protection law in the People's Republic of China ('PRC').
More informationPRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology
PRC Cyber Security Law --- How does it affect a UK business? Xun Yang Of Counsel, Commercial IP and Technology 24 October 2017 Content Overview of Cyber Security Law Observations on Implementation of Cyber
More informationUS-China Business Council Comments on The Draft Cybersecurity Law
US-China Business Council Comments on The Draft Cybersecurity Law On behalf of the more than 200 members of the US-China Business Council (USCBC), we appreciate the opportunity to provide comments to the
More informationDigital Signatures Act 1
Issuer: Riigikogu Type: act In force from: 01.07.2014 In force until: 25.10.2016 Translation published: 08.07.2014 Digital Signatures Act 1 Amended by the following acts Passed 08.03.2000 RT I 2000, 26,
More informationRegulatory Measures on Organic Product Certification Management
Regulatory Measures on Organic Product Certification Management NO. 155 MANUSCRIPT OF STATE GENERAL ADMINISTRATION OF QUALITY SUPERVISION, INSPECTION AND QUARANTINE Chapter I: General Provisions Article
More informationSecurity of Critical Information Infrastructure: Legal Issues
Security of Critical Information Infrastructure: Legal Issues Edward Bekeschenko, Partner INFOC Committee Meeting 26 May 2017 Agenda 1 Trends in Russia 3 2 International Practices 8 1 Trends in Russia
More informationChina Cybersecurity Law Interpretation. Aug 2017
China Cybersecurity Law Interpretation Aug 2017 China Cybersecurity Law Overview The " Cybersecurity Law" to be implemented in June 1, 2017 will be an important driving force for China to deepen the practice
More information"China WEEE" Development and Tendency Report
European Electrical and Electronics Industry 欧洲电气电子行业机构 "China WEEE" Development and Tendency Report "China WEEE" Regulation Regulations of the Administration of the Collection and Disposal of Waste Electrical
More informationRegulating Cyber: the UK s plans for the NIS Directive
Regulating Cyber: the UK s plans for the NIS Directive September 2017 If you are a digital service provider or operate an essential service then new security and breach notification obligations may soon
More informationⅠ.. Legal Regime on Telecommunications in China Ⅱ.. Background and Process for Making the Telecommunications Law Ⅲ.. Main Issues Addressed by the Draf
China s Telecommunications Law in the Future By Zhao Xiaoguang Department of Industry, Transport and Commerce of the LAO October, 2009 Ⅰ.. Legal Regime on Telecommunications in China Ⅱ.. Background and
More informationUnofficial English translation offered by EuropElectro, for reference only
No.:CNCA C16 01: 2014 Implementation Rules for Compulsory Certification of Telecommunication Terminal Equipment Announced on Jul. 15, 2014 Implemented on Sep. 1, 2014 Certification and Accreditation Administration
More informationGDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd
GDPR Processor Security Controls GDPR Toolkit Version 1 Datagator Ltd Implementation Guidance (The header page and this section must be removed from final version of the document) Purpose of this document
More informationDirective on security of network and information systems (NIS): State of Play
Directive on security of network and information systems (NIS): State of Play Svetlana Schuster Unit H1 Cybersecurity and Digital Privacy DG Communications Networks, Content and Technology, European Commission
More informationNew York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines New York Department of Financial Services ( DFS ) Regulation 23 NYCRR 500 requires that entities
More informationPromoting Global Cybersecurity
Promoting Global Cybersecurity Presented to ITU-T Study Group 17 Geneva, Switzerland 6 October 2005 Robert Shaw ITU Internet Strategy and Policy Advisor ITU Strategy and Policy Unit 1 Agenda Critical Infrastructures
More informationGovernment Resolution No of February 15, Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security
Government Resolution No. 2443 of February 15, 2015 33 rd Government of Israel Benjamin Netanyahu Resolution: Advancing National Regulation and Governmental Leadership in Cyber Security It is hereby resolved:
More informationTARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS
Target2-Securities Project Team TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS Reference: T2S-07-0270 Date: 09 October 2007 Version: 0.1 Status: Draft Target2-Securities - User s TABLE OF CONTENTS
More informationSection I. GENERAL PROVISIONS
LAW OF THE RUSSIAN FEDERATION NO. 5151-1 OF JUNE 10, 1993 ON CERTIFICATION OF PRODUCTS AND SERVICES (with the Additions and Amendments of December 27, 1995, March 2, July 31, 1998) Federal Law No. 154-FZ
More informationCyber Security Program
Cyber Security Program Cyber Security Program Goals and Objectives Goals Provide comprehensive Security Education and Awareness to the University community Build trust with the University community by
More informationDATA PROTECTION LAWS OF THE WORLD. Bahrain
DATA PROTECTION LAWS OF THE WORLD Bahrain Downloaded: 7 April 2018 BAHRAIN Last modified 25 January 2017 LAW There is currently no standalone data protection law in Bahrain. A draft is being reviewed before
More informationContributed by Djingov, Gouginski, Kyutchukov & Velichkov
Contributed by Djingov, Gouginski, Kyutchukov & Velichkov General I Data Protection Laws National Legislation General data protection laws The Personal Data Protection Act implemented the Data Protection
More informationStandard for Security of Information Technology Resources
MARSHALL UNIVERSITY INFORMATION TECHNOLOGY COUNCIL Standard ITP-44 Standard for Security of Information Technology Resources 1 General Information: Marshall University expects all individuals using information
More informationInternational Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018
International Legal Regulation of Cybersecurity U.S.-German Standards Panel 2018 Dr. Dennis-Kenji Kipker University of Bremen Washington DC, 10.04.2018 Gefördert vom FKZ: 16KIS0213 bis 16KIS0216 Slide
More informationChecklist: Credit Union Information Security and Privacy Policies
Checklist: Credit Union Information Security and Privacy Policies Acceptable Use Access Control and Password Management Background Check Backup and Recovery Bank Secrecy Act/Anti-Money Laundering/OFAC
More informationChina and International Governance of Cybercrime
China and International Governance of Cybercrime Prof. Dr. Shenkuo WU Law Professor of CCLS, Beijing Normal University Head of Research Centre of Internet Society of China Consultant of Supreme Court of
More informationCyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology
Cyber Security Law --- How does it affect the business operations in China? Xun Yang Of Counsel, Commercial IP and Technology 8 December 2016 The Matrix (1999) 1 / L_LIVE_APAC1:5433168v1 World Internet
More informationData Processing Clauses
Data Processing Clauses The examples of processing clauses below are proposed pending the adoption of standard contractual clauses within the meaning of Article 28.8 of general data protection regulation.
More informationADIENT VENDOR SECURITY STANDARD
Contents 1. Scope and General Considerations... 1 2. Definitions... 1 3. Governance... 2 3.1 Personnel... 2 3.2 Sub-Contractors... 2 3.3. Development of Applications... 2 4. Technical and Organizational
More informationInformation Security Management Criteria for Our Business Partners
Information Security Management Criteria for Our Business Partners Ver. 2.1 April 1, 2016 Global Procurement Company Information Security Enhancement Department Panasonic Corporation 1 Table of Contents
More informationProcuring Telecommunications and ICT Solutions in China. Neil Gallagher Director of Sales - Europe 31 st October 2018
Procuring Telecommunications and ICT Solutions in China Neil Gallagher Director of Sales - Europe 31 st October 2018 1 Agenda A short history of Telecommunications in China The role of Ministry of Industry
More informationDirective on Security of Network and Information Systems
European Commission - Fact Sheet Directive on Security of Network and Information Systems Brussels, 6 July 2016 Questions and Answers The European Parliament's plenary adopted today the Directive on Security
More informationImplementing China s Cybersecurity Law
WHITE PAPER August 2017 Implementing China s Cybersecurity Law China s Cybersecurity Law came into effect on June 1, 2017. Three months later, many uncertainties remain as only some of the anticipated
More informationRed Flags/Identity Theft Prevention Policy: Purpose
Red Flags/Identity Theft Prevention Policy: 200.3 Purpose Employees and students depend on Morehouse College ( Morehouse ) to properly protect their personal non-public information, which is gathered and
More informationCybersecurity Policy in the EU: Security Directive - Security for the data in the cloud
Cybersecurity Policy in the EU: The Network and Information Security Directive - Security for the data in the cloud Microsoft Commitment to Cybersecurity Security at the heart of our products and services
More informationCNAS-RC01. Rules for Accreditation of Certification Bodies
CNAS-RC01 Rules for Accreditation of Certification Bodies CNAS CNAS-RC01:2014 Page 1 of 25 Foreword... 2 1 Scope... 3 2 Reference Documents... 3 3 Terms and Definitions... 3 4 General... 5 5 Accreditation
More informationINFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ
INFORMATION SECURITY PRINCIPLES OF THE UNIVERSITY OF JYVÄSKYLÄ JYVÄSKYLÄN YLIOPISTO Introduction With the principles described in this document, the management of the University of Jyväskylä further specifies
More informationCritical Information Infrastructure Protection Law
Critical Information Infrastructure Protection Law CCD COE Training 8 September 2009 Tallinn, Estonia Maeve Dion Center for Infrastructure Protection George Mason University School of Law Arlington, Virginia.
More informationSpecial Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)
Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation) December 15, 2000 1. Goals of the Special Action Plan The goal of this action plan is to protect
More informationVirginia Commonwealth University School of Medicine Information Security Standard
Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Personnel Security Standard This standard is applicable to all VCU School of Medicine personnel. Approval
More informationENISA s Position on the NIS Directive
ENISA s Position on the NIS Directive 1 Introduction This note briefly summarises ENISA s position on the NIS Directive. It provides the background to the Directive, explains its significance, provides
More informationMotorola Mobility Binding Corporate Rules (BCRs)
Motorola Mobility Binding Corporate Rules (BCRs) Introduction These Binding Privacy Rules ( Rules ) explain how the Motorola Mobility group ( Motorola Mobility ) respects the privacy rights of its customers,
More informationVersion 1/2018. GDPR Processor Security Controls
Version 1/2018 GDPR Processor Security Controls Guidance Purpose of this document This document describes the information security controls that are in place by an organisation acting as a processor in
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationIt applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).
Our Privacy Policy 1 Purpose Mission Australia is required by law to comply with the Privacy Act 1988 (Cth) (the Act), including the Australian Privacy Principles (APPs). We take our privacy obligations
More informationCOMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards
November 2016 COMMENTARY Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards The Board of Governors of the Federal Reserve System ( Federal Reserve Board ), the Federal Deposit Insurance
More informationHF Markets SA (Pty) Ltd Protection of Personal Information Policy
Protection of Personal Information Policy Protection of Personal Information Policy This privacy statement covers the website www.hotforex.co.za, and all its related subdomains that are registered and
More informationLAW OF THE REPUBLIC OF KAZAKSTAN «ON CERTIFICATION»
April 27\ 99 Draft LAW OF THE REPUBLIC OF KAZAKSTAN «ON CERTIFICATION» This Law shall establish legal basis of certification of products, quality systems and production, (further processes), works and
More informationSPECIAL CONDITIONS FOR SO YOU START DEDICATED SERVER RENTAL Latest version dated 03/12/2013
SPECIAL CONDITIONS FOR SO YOU START DEDICATED SERVER RENTAL Latest version dated 03/12/2013 ARTICLE 1: PURPOSE The purpose of these Special Conditions, which supplement the So You Start General Conditions
More informationUN General Assembly Resolution 68/243 GEORGIA. General appreciation of the issues of information security
UN General Assembly Resolution 68/243 GEORGIA General appreciation of the issues of information security Widely publicized cyber attacks and, to some expert opinions, cyber war - conducted against Georgia
More informationUnofficial English translation offered by EuropElectro, for reference only
No.: CNCA-C10-01: 2014 Implementation Rules for Compulsory Certification of Lighting Electrical Appliances Announced on Jul. 16, 2014 Implemented on Sep. 1, 2014 Certification and Accreditation Administration
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationUnionPay QuickPass Terminal Product Certification Rules
Document No.: UPCA--02V.0 PU UnionPay QuickPass Terminal Product Certification Rules Issued on July, 205 Implemented from July, 205 Issued by China UnionPay Co., Ltd. UnionPay QuickPass Terminal Product
More informationUnofficial English translation offered by EuropElectro, for reference only
No.: CNCA C03 01:2014 Implementation Rules for Compulsory Certification of Low-voltage Electrical Apparatus Low-voltage Switchgear Assembly Announced on July.16.2014 Implemented on Sep.1.2014 Certification
More informationPRIVACY POLICY OF.LT DOMAIN
PRIVACY POLICY OF.LT DOMAIN Status Up-to-date version Date 2018-05-25 CHAPTER I GENERAL PROVISIONS 1. Privacy policy of.lt domain (hereinafter Privacy Policy) stipulates conditions of processing, legal
More informationLegal, Ethical, and Professional Issues in Information Security
Legal, Ethical, and Professional Issues in Information Security Downloaded from http://www.utc.edu/center-information-securityassurance/course-listing/cpsc3600.php Minor Changes from Dr. Enis KARAARSLAN
More informationETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)
ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive) July 2013 Executive Summary ETNO supports the European Commission s global approach to cyber-security
More informationTechnical Requirements of the GDPR
Technical Requirements of the GDPR Purpose The purpose of this white paper is to list in detail all the technological requirements mandated by the new General Data Protection Regulation (GDPR) laws with
More informationXO SITE SECURITY SERVICES
XO SITE SECURITY SERVICES 1.0 Product and Services 1.1 Product Description. XO Site Security (the "Service") is a managed security service which uses Premises-based, multi-threat sensing Customer Premises
More informationInformation Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV
Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV Location: https://www.pdsimplified.com/ndcbf_pdframework/nist_csf_prc/documents/identify/ndcbf _ITSecPlan_IDGV2017.pdf
More informationNATIONAL CYBER SECURITY STRATEGY. - Version 2.0 -
NATIONAL CYBER SECURITY STRATEGY - Version 2.0 - CONTENTS SUMMARY... 3 1 INTRODUCTION... 4 2 GENERAL PRINCIPLES AND OBJECTIVES... 5 3 ACTION FRAMEWORK STRATEGIC OBJECTIVES... 6 3.1 Determining the stakeholders
More informationAcceptable Use Policy
IT and Operations Section 100 Policy # Organizational Functional Area: Policy For: Date Originated: Date Revised: Date Board Approved: Department/Individual Responsible for Maintaining Policy: IT and Operations
More informationThe Role of the Data Protection Officer
The Role of the Data Protection Officer Adrian Ross LLB (Hons), MBA GRC Consultant IT Governance Ltd 28 July 2016 www.itgovernance.co.uk Introduction Adrian Ross GRC consultant Infrastructure services
More informationDisclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates
Disclosure text - PDS (PKI Disclosure Statement) for electronic signature and authentication certificates Index INDEX... 2 1. DISCLOSURE TEXT APPLICABLE TO NATURAL PERSON CERTIFICATES ISSUED ON QSCD...
More informationRegulations on production, export, import, circulation and business of audio and video tapes and discs on music and stage performances
Regulations on production, export, import, circulation and business of audio and video tapes and discs o Regulations on production, export, import, circulation and business of audio and video tapes and
More informationAbout Issues in Building the National Strategy for Cybersecurity in Vietnam
Vietnam Computer Emergency Response Team - VNCERT About Issues in Building the National Strategy for Cybersecurity in Vietnam Vu Quoc Khanh Director General Outline Internet abundance Security situation
More informationData Processing Agreement
Data Processing Agreement Merchant (the "Data Controller") and Nets (the "Data Processor") (separately referred to as a Party and collectively the Parties ) have concluded this DATA PROCESSING AGREEMENT
More informationData Processing Agreement DPA
Data Processing Agreement DPA between Clinic Org. no. «Controller». and Calpro AS Org. nr. 966 291 281. «Processor» If the parties have executed a Data Management Agreement, the Date Management Agreement
More informationLiechtenstein. General I Data Protection Laws. Contributed by Wanger Advokaturbüro. National Legislation. National Regulatory Authority.
Contributed by Wanger Advokaturbüro General I Data Protection Laws National Legislation General data protection laws The Data Protection Act (the DPA ) dated 14 March 2002 and the relevant Ordinance on
More informationHPE DATA PRIVACY AND SECURITY
ARUBA, a Hewlett Packard Enterprise company, product services ( Services ) This Data Privacy and Security Agreement ("DPSA") Schedule governs the privacy and security of Personal Data by HPE in connection
More informationData Processing Agreement
In accordance with the European Parliament- and Council s Directive (EU) 2016/679 of 27th April 2016 (hereinafter GDPR) on the protection of physical persons in connection with the processing of personal
More informationData Processing Agreement for Oracle Cloud Services
Data Processing Agreement for Oracle Cloud Services Version January 12, 2018 1. Scope, Order of Precedence and Term 1.1 This data processing agreement (the Data Processing Agreement ) applies to Oracle
More informationInformation Security Policy
April 2016 Table of Contents PURPOSE AND SCOPE 5 I. CONFIDENTIAL INFORMATION 5 II. SCOPE 6 ORGANIZATION OF INFORMATION SECURITY 6 I. RESPONSIBILITY FOR INFORMATION SECURITY 6 II. COMMUNICATIONS REGARDING
More informationImplementation Rules for the Certification of Organic Products
Annex NO CNCA-N-009 2011 Implementation Rules for the Certification of Organic Products Issued on 1 st December, 2011 Enforced on 1 st March, 2012 Issued by Certification and Accreditation Administration
More informationGoogle Cloud & the General Data Protection Regulation (GDPR)
Google Cloud & the General Data Protection Regulation (GDPR) INTRODUCTION General Data Protection Regulation (GDPR) On 25 May 2018, the most significant piece of European data protection legislation to
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationResolution: Advancing the National Preparedness for Cyber Security
Government Resolution No. 2444 of February 15, 2015 33 rd Government of Israel Benjamin Netanyahu Resolution: Advancing the National Preparedness for Cyber Security It is hereby resolved: Further to Government
More informationTable of Contents. PCI Information Security Policy
PCI Information Security Policy Policy Number: ECOMM-P-002 Effective Date: December, 14, 2016 Version Number: 1.0 Date Last Reviewed: December, 14, 2016 Classification: Business, Finance, and Technology
More informationExternal Supplier Control Obligations. Cyber Security
External Supplier Control Obligations Cyber Security Control Title Control Description Why this is important 1. Cyber Security Governance The Supplier must have cyber risk governance processes in place
More informationLegal framework of ensuring of cyber security in the Republic of Azerbaijan
Legal framework of ensuring of cyber security in the Republic of Azerbaijan Bakhtiyar N.Mammadov Ministry of Communications and Information Technologies Head of Legal and HR Department ITU WSIS Thematic
More informationInformation technology Security techniques Information security controls for the energy utility industry
INTERNATIONAL STANDARD ISO/IEC 27019 First edition 2017-10 Information technology Security techniques Information security controls for the energy utility industry Technologies de l'information Techniques
More informationThe NIS Directive and Cybersecurity in
The NIS Directive and Cybersecurity in ehealth Dr. Athanasios Drougkas Officer in NIS Belgian Hospitals Meeting on Security Brussels 13 th October European Union Agency For Network And Information Security
More informationDATA PROCESSING TERMS
DATA PROCESSING TERMS Safetica Technologies s.r.o. These Data Processing Terms (hereinafter the Terms ) govern the rights and obligations between the Software User (hereinafter the User ) and Safetica
More informationGuidelines Concerning the Transmission, Etc. of Specified Electronic Mail
Guidelines Concerning the Transmission, Etc. of Specified Electronic Mail August 2011 Ministry of Internal Affairs and Communications Telecommunications Bureau Telecommunications Consumer Policy Division
More informationTechnical Conference on Critical Infrastructure Protection Supply Chain Risk Management
Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management Remarks of Marcus Sachs, Senior Vice President and the Chief Security Officer North American Electric Reliability
More informationDHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017
DHS Cybersecurity Election Infrastructure as Critical Infrastructure June 2017 Department of Homeland Security Safeguard the American People, Our Homeland, and Our Values Homeland Security Missions 1.
More informationFiscal 2015 Activities Review and Plan for Fiscal 2016
Fiscal 2015 Activities Review and 1. The Ricoh Group s Information Security Activities In response to changes emerging in the social environment, the Ricoh Group is promoting its PDCA management system
More informationPresent Situation of Cyber Terrorism in China and Its Legal Countermeasures
Present Situation of Cyber Terrorism in China and Its Legal Countermeasures The People s Republic of China The Interpretations of the Supreme People's Court Li Ping, Senior Judge Present Situation of
More informationPolicy and Procedure: SDM Guidance for HIPAA Business Associates
Policy and Procedure: SDM Guidance for HIPAA Business (Adapted from UPMC s Guidance for Business at http://www.upmc.com/aboutupmc/supplychainmanagement/documents/guidanceforbusinessassociates.pdf) Effective:
More informationSubject: University Information Technology Resource Security Policy: OUTDATED
Policy 1-18 Rev. 2 Date: September 7, 2006 Back to Index Subject: University Information Technology Resource Security Policy: I. PURPOSE II. University Information Technology Resources are at risk from
More informationPERSONAL DATA PROCESSING POLICY FOR SUPPLIER
PERSONAL DATA PROCESSING POLICY FOR SUPPLIER 1. Definitions. In accordance with current legislation on the subject definitions are: a) Authorization: Expressed and informed prior consent of the Data Subject
More informationSAC PA Security Frameworks - FISMA and NIST
SAC PA Security Frameworks - FISMA and NIST 800-171 June 23, 2017 SECURITY FRAMEWORKS Chris Seiders, CISSP Scott Weinman, CISSP, CISA Agenda Compliance standards FISMA NIST SP 800-171 Importance of Compliance
More informationNIS-Directive and Smart Grids
NIS-Directive and Smart Grids Workshop on European Smart Grid Cybersecurity: Emerging Threats and Countermeasures Marie Holzleitner Table of Content Aims & Objectives Affected Parties Selected Requirements
More informationNational Policy and Guiding Principles
National Policy and Guiding Principles National Policy, Principles, and Organization This section describes the national policy that shapes the National Strategy to Secure Cyberspace and the basic framework
More information