China's Cybersecurity Law: Multi-Level Protection Scheme (MLPS) Download In part one of our Point of View (POV) series Interpretations of the updates to China’s Cybersecurity Law, we highlighted the updated legal requirements that impact organisations looking to do business in mainland China. One of these is the Multi-Level Protection Scheme (MLPS), an administrative requirement found in Article 21 of the Cybersecurity Law. Initially introduced in 1994, an updated MLPS 2.0 was issued in 2019, requiring network operators to ensure their networks are protected against interference, damage, or unauthorised access.To support the implementation of MLPS 2.0 of China, the National Standardisation Management Committee of People's Republic of China published a revised Baseline for Multi-Level Protection of Cybersecurity (GB/T 22239-2019) on 10 May 2019 with an effective date of 1 December 2019.Under Cybersecurity Law’s MLPS 2.0, network operators are required to classify their infrastructure and application systems into five separate protection levels and fulfill protection obligations accordingly. Download Multi-Level Protection Scheme 2.0 compliance procedure overview Initial classification + To begin compliance procedures, network operators must first conduct a self-assessment and propose a defined protection level for their network. According to the Guideline for MLPS Classification, companies must determine the protection level of their system or application based on two major considerations: impacted object and impacted level. Impacted objects refer to who or what will be potentially impacted by network disruption or a cybersecurity incident. These include Chinese citizens, individuals and other organisations, social interest and public order, or national security. Impacted level refers to whether network disruptions or a cybersecurity incident will cause minor, major, or critical levels of impact on the objects. A network’s protection level is graded according to its degree of societal impact within two benchmarks. The first benchmark assesses the importance of the network with regards to national security, economic construction, and social life. The second benchmark assesses the level of harm network disruption or a cybersecurity incident could cause to national security, public order and interest, and the interest and lawful rights of related citizens, legal persons, and other organisations. As such, networks that do not affect national security, social order, and public interests are usually classified as Level 1, while networks that may affect social order and public interest are classified as Level 2 or above.[1] Systems or applications with higher degrees of impact are more likely to be classified as Level 3 or even Level 4. Level 5 is usually reserved for state-owned military systems. Registration with local police agency + Currently, systems or applications should be registered for China's MLPS within 30 days after the protection level is determined. Do note, however, that the Multi-Level Protection Scheme Rules (Drafted for Comment) will eventually decrease the period to 10 days for Level 2 classifications and above. Local police will review the registration and may either approve the registration and officially issue an MLPS Registration Certificate or reject the application and require the applicant to make rectifications accordingly. Companies must submit multiple compliance documents with their registration. Documents required for each company may differ depending on local rules and regulations. Network operators should check the official websites[2] for confirmation before submission. Types of required documents for systems and applications of Level 2 classification and above[3] Multi-level protection classification reportMulti-level protection registration application formExpert classification review opinionNetwork and information security commitmentMLPS emergency contact registration form Additional required documents for systems and applications of Level 3 classification and above System architecture and topology descriptionCybersecurity organisation and management policySystem security and protection measuresSecurity product inventory and sale permitSystem classification assessment reportRegulatory agency review and approval Key requirements for compliance Network operators must comply with both general and extended requirements in order to fulfil their legal obligations around multi-level protection. Compliance requirements are defined according to the associated protection level. General requirements cover technical solutions and security management. Technical solutions include requirements on physical environment, communications network, network border protection, data security protection, and security operations. Security management covers security policy, security organisation, security resources, project management, and operations management. Extended requirements focus on the security requirements of specific types of platforms, including cloud computing, mobile, Internet of Things (IoT), industrial control systems, and big data. Required additional security review for Level 2 and above + If a network is determined to be Level 2 or above, the network operator must engage a qualified expert to carry out additional security reviews. Qualified experts are usually a third-party agency, but they can also be certified security professionals within the organisation. The review process is very similar to other security audits and technical assessments: the qualified expert will interview the IT management and technical staff, as well as security professionals, to understand current security governance and practices. They will also examine the documented security design and related policies and procedures to assess whether appropriate security controls are within the requirements of the specific protection level. A minimum score of 75 is necessary to pass the assessment for China's MLPS 2.0. Verification of assessment by government-approved experts + The above assessment results must be evaluated and endorsed by an independent expert recognised by the MLPS regulatory body. The independent expert is required to provide official documents to confirm assessment results. Government approval + The above security assessment result and verification should be provided as supplementary documents to the branch of the local police agency where the registration was filed. The process of China's MLPS compliance is completed once the documents are confirmed by the Ministry of Public Security and an official MLPS certification is issued. Re-evaluation schedule + Regular re-evaluations are required for systems and applications classified as Level 3 and above. The higher the protection level, the more frequently re-assessments should be conducted in order to stay in compliance with MLPS, with Level 2 networks re-assessed every two years, Level 3 networks re-assessed annually, and Level 4 networks re-assessed every six months. For Level 5 networks, re-evaluation will be defined and managed by respective regulatory ministry and commissions. Compliance considerations & challenges Technology compatibility and risk + MLPS compliance depends on the specific protection level of the targeted systems and applications, as well as the requirements of particular industry regulators. It is important to note that a perfect score is not necessary for MPLS compliance, and network operators should not try to implement all the requirements. Not only is it expensive to do so, attempting to fulfill all requirements may cause companies to risk implementing incompatible technologies, especially if they already utilise another standard, such as ISO27001 or NIST. Implementing MPLS for the sake of compliance and without proper analysis and redesign may, in fact, reduce the level of cybersecurity protection. Companies should also consider the capabilities of its cybersecurity team when implementing certain technologies. For example, technologies such as SELinux, a Linux security module, requires a high level of technical knowledge and the ability to manage superuser privilege. Without the proper capacities, it may be more prudent for a network operator to disable SELinux or other technologies requiring specialised expertise. Budget plan and cost + MPLS compliance is not a one-time action. Network operators should create a budget plan to ensure that they remain in compliance from the time the system goes online until it is retired. When defining the protection level and developing a budget, network operators should consider long-term system compliance expenditures, as well as indirect costs. Examples of direct and indirect compliance costs: Direct compliance cost MLPS evaluation costMLPS remediation costProduct and device purchasing cost Indirect compliance cost Cost of additional security systems and devicesMLPS consulting and pre-evaluation costAdditional resource costs from MLPS complianceAdditional maintenance or change for affected systemsAdditional services cost from MLPSTravel and overtime costs for internal and external staffCollateral damage from system malfunctions and business disruption How Protiviti can help Protiviti helps businesses in ensuring that their IT services meet legal requirements and regulatory rules on both national and industry-specific levels. With a team of IT security professionals, compliance experts, auditors, and other professionals, Protiviti keeps track of evolving regulations based on industry innovations, environmental trends, and emerging risks.Protiviti will evaluate your current compliance status and recommend technical solutions to increase the return of investment on MLPS while limiting any impact on your IT and business operations. Our compliance experts will monitor the published technical standards and provide professional opinions on MLPS compliance to help your enterprise continuously meet national standards and requirements. [1] More information on ranking criteria may be found in OneTrust DataGuidance’s article on the Multi-Level Protection Scheme. [2] The official website for Beijing may be found here, and the official website for Shanghai may be found here. [3] This is the full list of required documents for Beijing. Other provinces may have different requirements. Learn more about other specific sections of the China’s Cybersecurity Law: Featured insights WHITEPAPER Interpretations of the Updates to China’s Cybersecurity Law All companies incorporated within Mainland China are required to abide by the Cybersecurity Law of The People's Republic of China (PRC), which went into effect 1 June 2017. WHITEPAPER China’s Cybersecurity Law: Personal Information Protection Law (PIPL) Overview As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this Point of View (POV) highlights a key area pertaining to personal information protection. WHITEPAPER China's Cybersecurity Law: Cross-Border Data Transfer As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this fifth installment focuses on the cross-border transfer of data — or data localisation — that is outlined in Article 37. WHITEPAPER China's Cybersecurity Law: Critical Information Infrastructure (CII) According to the Cybersecurity Law, CII is defined as any information infrastructure that can endanger national security, national strategy, and civil welfare in the event of a data breach, compromised network, or system malfunction. Button Button Topics Cybersecurity and Privacy Internal Audit and Corporate Governance Industries Healthcare To access the whole series Click here Leadership Michael Pang Michael is a managing director with over 20 years’ experience. He is the IT consulting practice leader for Protiviti Hong Kong and Mainland China. His experience covers cybersecurity, data privacy protection, IT strategy, IT organisation transformation, IT risk, post ... Learn More Alan Wong Alan is a director at Protiviti Hong Kong with over 21 years of experience in IT and security solutions and project management. He specialises in IT governance, risk assessment, regulatory compliance, and cybersecurity assessment and consulting. He also has an extensive ... Learn More