Babbitt column | The website office issued a security assessment announcement, what should the blockchain information service provider need to pay attention to?

Author: According to the safety assessment requirements mentioned in the “Regulations on the Management of Blockchain Information Services”, the Office of the Internet has recently issued a declarative announcement. The announcement is clear, but there are still some doubts about how to implement it in practice.

In early 2019, the National Internet Information Office ("Network Letter Office") made a question on the security assessment issues involved in blockchain information services in its Regulations on the Management of Blockchain Information Services ("Administrative Provisions"). Principled requirements.

According to the “Regulations on Management”, blockchain information service providers need to report to the Internet Information Offices of the state, provinces, autonomous regions, and municipalities directly under the Central Government for security assessments in the event that they develop new products, new applications, and new functions. If the safety assessment is not carried out in accordance with the regulations, the local network information office of the local municipality directly under the Central Government shall have the right to request rectification, punishment, and even submit the competent authority to pursue its criminal responsibility.

The “Regulations” only stipulate in principle the circumstances in which safety assessment is required and the consequences of violations, but the specific provisions and operating rules on which the safety assessment is based are not specified. On August 9th, 2019, the Office of the Internet Information Office issued the "Announcement on the Regulations for the Management of the Safety of the Blockchain Information Service Regulations" ("Announcement"), which clarified that the Internet Office itself does not organize security assessments. No unit or organization is designated or authorized to conduct the assessment, but the relevant enterprise will evaluate it on its own or entrust a qualified third-party assessment agency to conduct the assessment.

According to the contents of the "Announcement", the author understands that the Internet Information Office may intend to refer to the "Internet Information Service Security Assessment Provisions with Public Attributes or Social Mobilization Capabilities" jointly issued by the Ministry of Public Security on November 15, 2018 (" Evaluation Regulations, which apply to Internet information service providers with public opinion attributes or social mobilization capabilities, providing information services such as forums, blogs, microblogs, chat rooms, communication groups, public accounts, short videos, webcasts Relevant requirements for information sharing, small procedures, etc., or corresponding functions, etc., implement the safety assessment work required by the “Regulations”, and provide operational guidelines for the blockchain information service providers to conduct safety assessments.

However, since the description of the "Announcement" is relatively simple, the relevant enterprises have doubts on how to understand and apply some of the requirements mentioned in the "Announcement". For these questions, the author tries to briefly analyze the following, which is for general reference only.

1. What qualifications do third-party assessment agencies need?

According to the "Announcement", the blockchain information service provider can entrust a measurement agency with relevant qualifications to carry out security assessment, or it can conduct self-assessment of security risk on the blockchain information service.

In the case of entrusting a third party to conduct a security assessment, according to the instructions in the Announcement, the author understands that the institution that can be entrusted with conducting a security assessment may need to be approved by the China National Certification and Accreditation Administration (CNCA), which is owned by the State Administration of Markets Supervision. The accreditation agencies accredited by the China National Accreditation Service for Conformity Assessment (CNAS), and such institutions may be required to have the qualifications for information security management system certification and information technology service management system certification, and not other units or institutions.

The author has noticed that there are a number of institutions on the market that claim to be able to carry out blockchain technology safety assessment, but it is not a CNCA-approved, CNAS-approved, assessment agency with information security management and information technology service management system certification. If the blockchain information service provider intends to entrust a third-party organization to conduct a safety assessment, it shall pay attention to the qualification of the evaluation agency and entrust a qualified evaluation agency to conduct a safety assessment.

2. What are the requirements for the safety assessment?

What is the content of the security assessment?

According to the "Announcement", the blockchain information service provider to carry out security risk assessment shall be carried out in accordance with the relevant requirements of the "Assessment Regulations". However, the "Notice" does not specify what requirements are specifically included in the "Related Requirements".

According to the “Evaluation Regulations”, Internet information service providers carry out safety assessments, and should legitimize the new applications of information services and new technologies, implement the effectiveness of security measures stipulated by laws, administrative regulations, departmental rules and standards, and prevent and control security risks. A comprehensive assessment of the effectiveness and other aspects of the situation, and focus on the following eight main elements : (1) determine the safety management responsible person, information review personnel or the establishment of a safety management organization appropriate to the services provided; (2) user real Identity verification and registration information retention measures; (3) Log information on the user's account number, operation time, operation type, network source address and destination address, network source port, client hardware characteristics, and retention measures for the user to publish information records; (4) Measures for the prevention and treatment of illegal and harmful information in service functions such as user account and communication group name, nickname, profile, remarks, logo, information release, forwarding, comment and communication group; Information protection and prevention of illegal and harmful information dissemination, society (6) Establish complaints and reporting systems, publish complaints, report methods, etc., and promptly accept and handle complaints and reports; (7) Establish a network information service department to supervise Internet information service supervision according to law. Management responsibilities provide technical, data support and assistance to the working mechanism; (8) Establish a working mechanism for public security organs and national security agencies to provide technical, data support and assistance in safeguarding national security and investigating and handling illegal crimes.

What are the contents of the safety assessment report?

According to the "Assessment Regulations", after the safety assessment and compliance with laws, administrative regulations, departmental rules and standards, a safety assessment report shall be formed. The report shall include the following contents : (1) The functions, service scope, software and hardware facilities of the Internet information service, Basic information such as deployment location and relevant license acquisition; (2) Implementation of safety management system and technical measures and risk prevention and control effects; (3) Safety assessment conclusions; (4) Other relevant circumstances that should be explained.

According to the above provisions, the author understands that the main content of the security assessment required by the blockchain information service provider and the main content of the security assessment report may also need to be listed in the “Assessment Provisions” according to the specific conditions of the information services it provides. The above main content.

3. Does the safety assessment need to be done before or after the event?

The "Regulations" mentioned that if a blockchain information service provider develops new products, new applications or new functions on the line, it should conduct a safety assessment, but it is not clearly stated whether it needs to be evaluated before or after the event; This is explained.

The Assessment Provisions provide different rules for the submission of safety assessment reports in different situations. In some cases, they need to be submitted in advance, and in some cases, they need to be submitted afterwards.

According to the “Assessment Regulations”, in the case of one of the following situations, the Internet information service provider shall submit a safety assessment report before the information service, new technology new application is launched or the function is added : (1) Information on public opinion attributes or social mobilization ability Service is online, or information services are added with related functions; or (2) new technologies and applications are used to make major changes in the functional attributes, technical implementation methods, and basic resource allocation of information services, resulting in major changes in public opinion attributes or social mobilization capabilities. of.

At the same time, the “Evaluation Regulations” also stipulates the situation in which the safety assessment report is submitted afterwards (within 30 working days from the date of occurrence of the relevant situation), including: (1) The significant increase in the size of the user leads to the paradox attribute of the information service. Or a major change in the capacity of social mobilization; (2) the spread of illegal and harmful information, indicating that it is difficult to effectively prevent and control cybersecurity risks; or (3) the local level of the city or the public security organ Other situations in which security assessments are conducted.

In view of the fact that the blockchain information service providers mentioned in the “Regulations” need to conduct security assessments, “blockchain information service providers develop new products, new applications, and new functions on-line”, in accordance with the “Evaluation Regulations” The enumeration of the situation in which the evaluation report is submitted (information service, new technology new application online or function addition), the author understands that the blockchain information service provider should conduct security assessment before it develops new products, new applications and new functions . .

In addition, the “Regulations” and “Announcements” do not mention situations where an ex post safety assessment is required. If there is a situation similar to that listed in the “Evaluation Regulations” and the need to submit an evaluation report afterwards (especially the spread of illegal and harmful information, indicating that it is difficult to effectively prevent and control cyber security risks), the blockchain information service provides Whether or not it is necessary to conduct an ex post safety assessment is not clear.

4. Is the submitted safety assessment report limited to the self-assessment report?

According to the "Announcement", if the blockchain information service provider implements the security assessment by itself, it is required to submit a safety self-assessment report through the "National Internet Security Management Service Platform" (www.beian.gov.cn). However, if the blockchain information service provider entrusts a third party to conduct a security assessment, does the security assessment report issued by the third party need to be submitted and submitted through what channel? The "Announcement" does not seem to be clear.

According to the principle requirements of the “Regulations”, referring to the provisions of the “Assessment Provisions” on the submission of safety assessment reports, the author understands that “the safety self-assessment report” mentioned in the “Announcement” needs to be submitted through the above service platform. Self-assessment, it may be emphasized that the initiators and organizers of the security assessment need to be the blockchain information service providers themselves, not the network information office (or its organization's experts or technical forces); the so-called “self-assessment” includes The self-assessment of the blockchain information service provider also includes the evaluation of the third party, and the evaluation report formed by any evaluation method needs to be submitted through the “National Internet Security Management Service Platform” .

5. Is the regulatory department for safety assessment only for the Internet?

According to the "Regulations on Management", if the blockchain information service provider has not conducted a safety assessment, the authority that has the power to supervise and implement administrative penalties is the network information office of the municipalities directly under the Central Government.

Under the "Evaluation Regulations", Internet information service providers shall submit the safety assessment report to the local government level and the public security organ through the national Internet security management service platform. Both organizations have the right to write the safety assessment report. For review, or even on-site inspection; for Internet information services that have large security risks and may affect national security, social order, and public interests, the provincial level and the public security organs shall organize expert review and on-site inspections.

Although the "Regulations" and "Announcement" do not explicitly mention the public security organs' supervisory duties in the safety assessment, the system "National Internet Security Management Service Platform" submitted by the evaluation report is a platform set up by the Ministry of Public Security's Cyber ​​Security Bureau. Supervision and maintenance of network security itself is also the responsibility of the Ministry of Public Security's network security department. Therefore, the author understands that the public security organs may also refer to their functions under the “Assessment Regulations” to perform security assessments on blockchain information service providers. Similar regulatory responsibilities.

summary:

Regarding the supervision of the network information office for the security assessment of blockchain information service providers, since the blockchain information service providers currently provide information services to the public through the Internet, it is convenient to directly refer to the applicable “assessment regulations”. On the other hand, because the "Appraisal Regulations" apply to Internet information service providers with public opinion attributes or social mobilization capabilities, the specific requirements are specifically set for the service providers, and the relevant requirements can be Whether it is fully applicable to blockchain information service providers (such as ex post safety assessment), there are still some doubts, and the network office will be further clarified in the regulatory practice.

Author: Zhang Ling, a partner at law firm Han

Disclaimer: This article only represents the author's personal opinion and does not represent the opinions of the organization. The contents of this article do not constitute legal advice and investment advice. To reprint or cite any of the content in this article, please include the author's name.