RCR 002: China Cybersecurity Law - CISSP Training

Description:  

Shon Gerber presents his take on some recent articles from the cybersecurity law.

NOTES: The National Law Review concerning an update to the China Cyber law and they are closing out comments at the end of July.

Basically, here is what they are saying:

• A multi-level protection scheme (MPLS) is being setup to address the level of risk posed by a company for all Network Operators
• If not sure on what a Network Operator is…..you probably are if you have a network in China - Levels range from 1-5 (5 being the worst)
• Level 2 and below requires self-assessment with confirmation from government of your MPLS scheme - Level 3 and above are subject to “enhanced security requirements”
• Level 2 and above require an “expert review” of how you classified your self during the self-assessment to make sure everyone agrees
• “New” Level 3 and above companies must have their MPLS reviewed by an “accredited” entity of the Ministry of Public Security (MPS)
• Regular Emergency Response Drills for Level 3 and above must be completed
• Incident must be reported to the MPS within 24 hours (GDPR is 72 hours)
• And a few others……

Transcript:

Series on providing security information for YouTube and four other areas that you can go and use for your business and this is about China and the China address cyber security regulations on China 2018 China's Ministry MPS release for public comment a draft of the regulations on cybersecurity multi-level protection scheme LPS multi-level protection scheme and what they've done basically is they have moved the situation up where they've gone from being a two buckets what a guy that comes to the to the Chinese your network operator bucket and you have a CII bucket which is your critical information or critical infrastructure information what they work is it work this way you have your network operator regulations you have to follow the things you have to do copper I should say date to see II sit on top that the reason behind that is is that the network operator has a lot of requirements but the CI takes it to the next level and will have further talk how that's going to work for a c i work than your business but just know that this regulation the changes for these specifically for the network operator okay and like they like buckets I like buckets right so they have different levels raid from Level 1 to level 5 level 1 is for like a basic kind of business that might be going a little V is for a multinational that's because bottom lines are trying to protect the state and I'm trying to protect the information and and the people that reside within the state of China the country level 1 through level 5 level 2 what it does it requires you so level 1 and level 2 how to do a self-assessment a self-assessment is a confirmation from the government of your specific mpls scheme okay so that the whole purpose of that is that you have to do the self-assessment you see is a lot of other things out there right MCI has self-assessment of all kinds of selfish you two look at hey where do you fit right well you have to do a self-assessment as well within China and their Chinese cyberlock what level 2 and Below requires you to do the self-assessment a with confirmation from a government of your scheme okay so if you say that you are a level 1 you have to get confirmation from the government to make sure that you are level one that's what they want you to I don't know how faster response going to be don't really know are subject to enhance security requirements what does that mean I have no idea to see what that might be in it adding another level of risk security on top of what you've already got as a network operator level 2 above requires an expert assessment Myers a expert review okay so this expert of you I don't know what that is if there's somebody that is deemed aquatic or expert they will then give you that that review then level 3 and above so now if your new company from Level 3 and above you must have the ministry of public security so you have an expert review for level 2 in above and then if you're a brand new level 3 in above which must be some sort of Grace. That comes in there I don't know level 3 in above you have to have reviewed by a credit identity of the ministry of public security last Light level 5 is you have to have a regular emergency response drills for level 3 and above and they must be completed so you must do an instant response and you must have documentation that you okay level 1 and 2 is 4 level 3 they must have these response plan and you do that for a level 3 in above you must complete that on a regular basis not I'm not sure what the regular is but I would say it's probably got to be at least annually the incident must be reported to the MPS within 24 hours okay you heard me right 24 hours so you only got 24 hours to respond to the ministry of public Security in regards to that and now to get put in perspective GPR is 72 hours and most of the other things out there like right now the California Privacy Act that they've gotten place that is 72 hours as well but 24 hours that you get feel that you've been hacked you have to let the ministry of public security know about this so here's the deal if you have business in China and you have a business that's growing and you just say your multinational that's not Chinese right so you were from Europe United States you need and even if you're in China what you need to get knowledgeable lots of cybersecurity people out there but you need somebody that is a cybersecurity legal expert not just a legal expert a cybersecurity legal expert they're very different and there's less and less of those so that's important you also need to read up and you know this information is bottom line got to know what you got to make it happen you need to read up on it and third you need to find yourself a cyber-security person if you navigate these Waters be honest with you I just might be a little sore like a little self-serving it is not I don't care if it's a cybersecurity professional like myself cyber-security background as well you need someone that can help you with that it isn't it doesn't come out of nothing it's just somebody can help you become the best cyber security help you with the pieces of this for your business read up on it and get a cypress tree person to help you out okay hope this helps bottom line is out here to give you some information and using my background my knowledge to help you get the information you need to protect you and your bu