MIIT Regulates Internet Information Security Management Systems

Recently, the Ministry of Industry and Information Technology (MIIT) released the Interim Administrative Measures for Use, Operation and Maintenance of Internet Information Security Management Systems to provide guidance on the use, operation and maintenance of Internet information security management systems for both local Communications Administrations and Internet access service providers.

The "Internet information security management systems" referred to in the Measures include ministerial-level systems, provincial-level systems, and enterprise systems constructed or rented by telecommunications business operators operating Internet data centers (including Internet resource collaboration services) and providing Internet access services and content delivery network services. MIIT, along with local Communications Administrations, is responsible for directing, supervising and coordinating the use and operation & maintenance of respective levels of those systems.

The Measures mainly include 3 parts:

  • Use requirements such as system data management, management of violating websites and illegal information, and access log management
  • Operation & maintenance requirements such as system operation monitoring, capacity expansion and upgrade, security protection, privilege management, audit of operational log, and data security
  • Auxiliary requirements such as organizational framework, education and training, and offering assistance


In particular, the Measures require Telecom Authority and enterprises to introduce a privilege management model for staff of the Internet information security management system, keep operational log and conduct audit regularly, and keep such log and audit record for at least 6 months. In addition, enterprises are required to use their own enterprise systems to keep access log, and provide such log within 2 hours upon a lawful request of review from relevant departments.

The Measures are developed in accordance with the Decisions of National People' s Congress Standing Committee on Strengthening Network Information Protection, Anti-Terrorism Law, National Security Law, Telecommunications Regulations andAdministrative Measures for Internet Information Services, as well as other applicable laws, regulations, relevant rules and communication industry standards, which are listed in the attachment of the Measures as:

  • Administrative Measures for Security of Communication Networks (MIIT Order No.11)
  • YDT 2248-2015 Technical requirements of information security management system for Internet data center/Internet service provider
  • YDT 2405-2015 Interface standard of information security management system for Internet data center/Internet service provider
  • YDT 1729-2008 Implementation guide for multi-level security protection of telecom network and Internet
  • YDT 1730-2008 Implementation guide for multi-level security protection of telecom network and Internet
  • Other relevant rules and communication industry standards.


The Measures also require all the local Communications Administrations and enterprises to, per the Measures, develop further implementation rules of use, operation and maintenance of provincial-level and enterprise systems.