Many regulations come into effect today! The main responsibility of network security will be further implemented

Editor's note

From today ,《 Data security law 》《 Key information infrastructure security regulations 》《 Regulations on the management of network product security vulnerabilities 》 These three policies and regulations of great significance to the network security industry have been formally implemented , Without exception, they have made a specific definition and specification of the main responsibility of the enterprise's network security .

Regulations also in force today , There are also new revisions 《 Production safety law of the people's Republic of China 》. This article will be based on “ Production safety ” For comparison and reference , To interpret “ Network security ” related policy , Discuss how enterprises and management under the new regulations should change their perspectives , Understand and practice the main responsibility of network security .

author ： Xiao    Dan

edit ： pot   Son

Expert support ： Chen Haoming

• 2021 year 6 month , The government announced the newly revised 《 Production safety law of the people's Republic of China 》, Will be in 9 month 1 In force on , It stipulates that the management industry must be responsible for safety 、 To manage business, we must manage security 、 To manage production and operation, we must manage safety , Further clarify the safety production responsibility .
• 2021 year 8 month ,《 Party Committee （ Party group ） Measures for the implementation of the responsibility system for network security work 》 published , From the subject of responsibility 、 Scope of responsibility 、 Matters of responsibility 、 Implement network security responsibilities within the scope of safeguard measures .
• 8 month 17 Japan ,《 Key information infrastructure security regulations 》 Official announcement , Require the implementation of “ The head responsibility system ”, And set up a special safety management organization , Further strengthen and implement the main responsibilities of key information infrastructure operators .

In a matter of 3 Months time , From production security to network security , Issues related to subject responsibility have been clarified and refined through the introduction and revision of several laws and policies .

Why pay more and more attention to the responsibility of enterprise safety subjects ？ What are the regulations on the subject responsibility of safety ？ How to understand and implement the main responsibility of network security ？

The main responsibility of network security , We are keeping up with production safety

Production safety has always been the top priority of enterprise management , Because it involves the life safety of employees 、 The safety of people's lives and property , If a security incident occurs , The operating income of the enterprise 、 Reputation and other aspects have a significant adverse impact , It is the survival of the enterprise .

With the rapid development of the digital information age , Digital transformation has become a common and urgent demand of business owners , Therefore, network security has been paid more and more attention , It represents an indicator of scientific and technological hard power , It has also become an essential defensive skill for enterprises , It is about the lifeblood of enterprise development .

1. The main responsibility of production safety has become a general consensus

Through years of requirements and specific practice , Relevant enterprises are responsible for production safety 、 The scope of responsibility is clearly defined . For example, in restaurants 、 Manufacturing is a mature industry , The main responsibility of fire control has basically become common sense , Suppose the premises are on fire , Although the operator is a victim, he should also be responsible . Many enterprises will also take the production safety meeting as a common working mechanism and supervision method , Ensure the attention from the leadership to the production line .

2. “ Three necessities ” The main responsibility shall be compacted again

Newly revised 《 Production safety law 》 Proposed “ Three necessities ”—— Management industry must manage safety 、 To manage business, we must manage security 、 To manage production and operation, we must manage safety , In addition to emphasizing “ head ” In addition to the main responsibility for the safety production of the unit , It is also required to establish and improve the safety production responsibility system of all employees , Let the responsibility of safety production be clearly implemented to all employees .

3.  Policies and regulations require that network security and production security be treated equally

Frankly speaking , At present, network security has not received due attention in most domestic enterprises . Some analysts in the securities industry pointed out that , The proportion of domestic network security investment in informatization is about 3%, And developed countries such as Europe and the United States are 10% above , Far away . Now 《 Implementation method 》 and 《 Protection regulations 》 In essence, the introduction of is to clarify that the top leaders of enterprises bear the main responsibility for enterprise network security , As long as there is a network security incident , Not only will companies be held accountable , The top leaders will also be greatly affected . Only treat network security and production security equally , To really resist risks , The challenge .

Take the civil transportation industry as an example , In the past, the first person in charge of the enterprise would focus on production safety , Regular in-depth inspection , After all, life is the key , No mistake is allowed . With the promotion of digitalization and the implementation of policies , in the future , The first person in charge of the enterprise must also pay the same attention to network security , Regular inspection .

Although it is more perfect than production safety 、 A mature system , Enterprises' recognition of the importance of network security , The cognition of its main responsibility still needs more time to settle 、 shape , But believe in 《 Implementation method 》 and 《 Protection regulations 》 The introduction of is opening this “ The way of cognition ”, It also provides an important driving force for the upgrading of the network security industry .

The policy is responsible for the subject of network security , What regulations have been made ？

At present, the whole network security industry is organized 、 Purposeful network attacks are powerful 、 Occurs frequently , Seriously affect the business activities and revenue of the enterprise , Even become “ Black ash production ” The sought after wealth code .

On the one hand, the standardized development of the network security industry depends on “ Black ash production ” And other illegal and criminal acts , On the other hand, it also needs the internal organizational structure of the enterprise 、 personnel 、 Gradually strengthen safety awareness and defensive ability in terms of technology .《 Implementation method 》《 Protection regulations 》 The introduction of the supporting measures is a means to force enterprises to improve their safety capability .

among ,《 Implementation method 》 Take responsibility for safety from top to bottom , From execution 、 regulatory 、 The full cycle management system of accountability is very detailed, specific and complete , It means that the state has higher and higher requirements for the security responsibility of managers in the field of network security . It is embodied in the following aspects ：

1.《 Implementation method 》 Clearly require top leaders to be the first responsible person for network security

《 Implementation method 》 Article 2 , All levels shall take the main responsibility for the network security work of their own regions and departments , The main person in charge of the leading group is the first responsible person , The members of the leading group in charge of network security are directly responsible .

In the past , The information management department is usually directly responsible for the network security of enterprises , return CIO（ CIO ） Overall management ,CIO Recruit administrators to manage the network security of the enterprise . But now , Many enterprises have set up information security management committees to coordinate the information security management of the whole enterprise , The first person in charge of the committee is the first person in charge of the enterprise . It also means that , Once a network security accident occurs , As the first person in charge of safety, the top leader of the enterprise will be directly held accountable .

2.《 Implementation method 》 It is the first time that network security has been included in the audit scope

《 Implementation method 》 Article 11 provides that , Audit institutions at various levels shall, in the audit of relevant departments and units , Network security construction and performance should be included in the audit scope .

We usually think that it involves the finance of the enterprise 、 Money 、 Economic related matters only need to be audited , The provisions of Article 11 just reflect that network security has become a financial issue 、 Matters of equal importance to funds . When network security is included in the scope of audit supervision , In the future, there will be a supporting audit system . Request through the audit system , The main principals of each enterprise will greatly improve their attention to network security and their willingness to perform their duties . so to speak 《 Implementation method 》 The announcement of Internet security has pushed network security to become CEO Strategic concerns , Really become “ Top engineering ”.

Conclusion

It is true that there is still a big gap between the cognition and specific practice of the main responsibility of network security and production security , But with the rapid development of enterprise digitalization , More regulations and policies clarify and subdivide the responsibilities of network security subjects , Form a tighter 、 A more complete full cycle management system , More and more enterprise leaders will realize the importance of network security , The emergence of more references 、 Feasible case practice . We might as well look forward to , As “ Top engineering ” The cause of network security will usher in a new 、 A vibrant industrial landscape .

Reference material ：

[1] 9 month 1 The date of , Who will shift all the responsibility for safety to the security department , Who will be held accountable ！

[2] 《 Party Committee （ Party group ） Measures for the implementation of the responsibility system for network security work 》 Reading

[3]  What is the chief data officer of Shenzhen pilot project “ Officer, ”