Hacking Book | Free Online Hacking Learning

Home

notice of the state internet information office on soliciting public opinions on the regulations on the security protection of key information infrastructure (draft for comments)

Posted by chiappelli at 2020-03-02
all

09:00, July 11, 2017 source: China Netcom

Notice of the state Internet Information Office on soliciting public opinions on the regulations on the security protection of key information infrastructure (Draft for comments)

In order to ensure the safety of key information infrastructure, in accordance with the network security law of the people's Republic of China, our office, together with relevant departments, drafted the regulations on the safety protection of key information infrastructure (Draft for comments), which are now open to the public for comments. Before August 10, 2017, relevant units and people from all walks of life can make comments in the following ways:

I. send the comments by letter to the Network Security Coordination Bureau of the state Internet Information Office, No. 11 Chegongzhuang street, Xicheng District, Beijing, 100044, and mark "for comments" on the envelope.

2. Email to: [email protected]

Annex: Regulations on security protection of key information infrastructure (Draft for comments)

National Internet Information Office

July 10, 2017

Regulations on security protection of key information infrastructure

(Draft for comments)

Chapter I General Provisions

Article 1 in order to ensure the safety of key information infrastructure, these Regulations are formulated in accordance with the network security law of the people's Republic of China.

Article 2 These Regulations shall apply to the planning, construction, operation, maintenance and use of key information infrastructure within the territory of the people's Republic of China, as well as the security protection of key information infrastructure.

Article 3 the safety protection of key information infrastructure shall adhere to the principle of top-level design, overall protection, overall coordination and division of responsibilities, give full play to the role of the operation subject, with the active participation of all social parties, and jointly protect the safety of key information infrastructure.

Article 4 the state industry authorities or regulatory authorities shall, in accordance with the division of responsibilities prescribed by the State Council, be responsible for guiding and supervising the safety protection of key information infrastructure in their respective industries and fields.

The national network and information department is responsible for the overall coordination of the safety protection of key information infrastructure and related supervision and management. The departments of public security, national security, national secrecy administration and national password administration under the State Council shall be responsible for the protection, supervision and administration of network security within their respective functions and responsibilities.

The relevant departments of the local people's governments at or above the county level shall, in accordance with the relevant provisions of the state, carry out the work of safety protection of key information infrastructure.

Article 5 the operators of key information infrastructure (hereinafter referred to as the operators) shall take the main responsibility for the safety of their own key information infrastructure, perform the obligation of network security protection, accept the supervision of the government and the society, and bear the social responsibility.

The State encourages network operators other than key information infrastructure to voluntarily participate in the protection system of key information infrastructure.

Article 6 on the basis of the network security level protection system, key information infrastructure shall be protected.

Article 7 any individual or organization shall have the right to report any act endangering the safety of key information infrastructure to the departments of network information, telecommunication, public security and other departments as well as the competent or regulatory departments of the industry.

The department receiving the report shall deal with it in a timely manner according to law; if it is not the responsibility of the Department, it shall be transferred to the Department having the right to deal with it in a timely manner.

The relevant departments shall keep the relevant information of the whistleblower confidential and protect the legitimate rights and interests of the whistleblower.

Chapter II support and guarantee

Article 8 the State shall take measures to monitor, defend and deal with cyber security risks and threats from within and outside the territory of the people's Republic of China, protect key information infrastructure from attack, invasion, interference and damage, and punish illegal cyber criminal activities according to law.

Article 9 the State shall formulate policies on industry, finance, taxation, finance, talents, etc., support the innovation of technologies, products and services related to the safety of key information infrastructure, promote safe and reliable network products and services, train and select network security talents, and improve the safety level of key information infrastructure.

Article 10 the State shall establish and improve the network security standard system, and guide and standardize the security protection work of key information infrastructure by using standards.

Article 11 the people's governments at or above the prefecture level shall incorporate the work of safety protection of key information infrastructure into the overall plan of regional economic and social development, increase investment, and carry out work performance assessment and evaluation.

Article 12 the State encourages government departments, operators, scientific research institutions, network security service institutions, industrial organizations, network products and service providers to carry out security cooperation in key information infrastructure.

Article 13 the state industry authorities or regulatory departments shall establish or specify the institutions and personnel specially responsible for the safety protection of key information infrastructure in their own industries and fields, prepare and organize the implementation of the network safety plans in their own industries and fields, establish and improve the work funds guarantee mechanism and urge the implementation.

Article 14 energy, telecommunications, transportation and other industries shall provide key guarantee and support in power supply, network communication, transportation and other aspects for the emergency disposal of network security incidents of key information infrastructure and the restoration of network functions.

Article 15 public security organs and other departments shall, in accordance with law, investigate and crack down on illegal and criminal activities against and using key information infrastructure.

Article 16 No individual or organization may engage in any of the following activities or behaviors that may endanger key information infrastructure:

(1) attacking, invading, interfering with or destroying key information infrastructure;

(2) illegally obtaining, selling or providing to others without authorization technical data and other information that may be specially used to endanger the safety of key information infrastructure;

(3) conducting penetration and aggressive scanning detection of key information infrastructure without authorization;

(4) to provide assistance in Internet access, server hosting, network storage, communication transmission, advertisement promotion, payment and settlement, etc., knowing that others are engaged in activities endangering the safety of key information infrastructure;

(5) other activities and behaviors endangering key information infrastructure.

Article 17 based on an open environment, the state maintains network security and actively carries out international exchanges and cooperation in the field of security of key information infrastructure.

Chapter III Scope of key information infrastructure

Article 18 the network facilities and information systems operated and managed by the following units shall be included in the scope of protection of key information infrastructure in case of damage, loss of functions or data leakage, which may seriously endanger national security, national economy and people's livelihood and public interests:

(1) government organs and units in the fields of energy, finance, transportation, water conservancy, health and medical care, education, social security, environmental protection, public utilities and other industries;

(2) telecommunication networks, radio and television networks, Internet and other information networks, as well as units providing cloud computing, big data and other large-scale public information network services;

(3) scientific research and production units in the fields of national defense science and industry, large-scale equipment, chemical industry, food and drug and other industries;

(4) broadcasting stations, television stations, news agencies and other news organizations;

(5) other key units.

Article 19 the state network and information department shall, in conjunction with the competent telecommunication department and the public security department under the State Council, formulate guidelines for the identification of key information infrastructure.

According to the identification guide of key information infrastructure, the national industry authorities or regulatory authorities shall organize the identification of key information infrastructure in the industry and the field, and submit the identification results according to the procedures.

In the process of identification and identification of key information infrastructure, relevant experts should be given full play to improve the accuracy, rationality and scientificity of identification and identification of key information infrastructure.

Article 20 in case of new construction or decommissioning of key information infrastructure, or major changes of key information infrastructure, the operator shall timely report the relevant information to the national industry authorities or regulatory authorities.

The national industry director or regulatory department shall timely identify and adjust according to the situation reported by the operator, and submit the adjustment situation according to the procedure.

Chapter IV Safety Protection of operators

Article 21 in the construction of key information infrastructure, it is necessary to ensure that it has the capability to support the stable and continuous operation of business, and to ensure the synchronous planning, construction and use of safety technical measures.

Article 22 the main person in charge of the operator is the first person in charge of the safety protection of the unit's key information infrastructure, responsible for establishing and improving the network safety responsibility system, organizing the implementation, and taking full responsibility for the safety protection of the unit's key information infrastructure.

Article 23 the operator shall, in accordance with the requirements of the network security level protection system, perform the following security protection obligations, protect the key information infrastructure from interference, damage or unauthorized access, and prevent the network data from leaking or being stolen or tampered with:

(1) to formulate internal security management system and operation procedures, and strictly manage identity authentication and authority;

(2) to take technical measures to prevent computer viruses, network attacks, network intrusions and other acts endangering network security;

(3) to take technical measures to monitor and record network operation status and network security events, and to keep relevant network logs in accordance with regulations for not less than six months;

(4) taking measures such as data classification, important data backup and encryption authentication.

Article 24 in addition to Article 23 of these regulations, the operator shall also perform the following safety protection obligations in accordance with the provisions of national laws and regulations and the mandatory requirements of relevant national standards:

(1) set up a special network security management organization and the person in charge of network security management, and review the security background of the person in charge and the personnel in key positions;

(2) regularly carry out network security education, technical training and skill assessment for employees;

(3) make disaster recovery backup for important systems and databases, and timely take remedial measures for security risks such as system loopholes;

(4) to formulate emergency plans for network security incidents and conduct regular drills;

(5) other obligations prescribed by laws and administrative regulations.

Article 25 the person in charge of network security management of the operator shall perform the following duties:

(1) to organize the formulation of network security rules and regulations and operation procedures and supervise their implementation;

(2) organizing the skill assessment of personnel in key positions;

(3) to organize the formulation and implementation of their own network security education and training plans;

(4) to organize and carry out network security inspection and emergency drill to deal with network security incidents;

(5) to report important matters and events of network security to the relevant departments of the state as required.

Article 26 professional and technical personnel in key positions of network security of operators shall be employed with certificates.

The specific provisions for holding the certificate for work shall be formulated by the human resources and Social Security Department of the State Council in conjunction with the state network information department and other departments.

Article 27 the operator shall organize the network security education and training for the employees, and the length of each person's annual education and training shall not be less than 1 working day, and the length of each person's annual education and training for professional and technical personnel in key positions shall not be less than 3 working days.

Article 28 the operator shall establish and improve the safety inspection and evaluation system for key information infrastructure, and conduct safety inspection and evaluation before the key information infrastructure goes online or when there is a major change.

The operator shall, on its own or by entrustment of the network security service agency, conduct at least one inspection and assessment on the security and potential risks of key information infrastructure every year, rectify the problems found in a timely manner, and report the relevant information to the national industry director or supervision department.

Article 29 the personal information and important data collected and generated by the operator in the operation within the territory of the people's Republic of China shall be stored in the territory. If it is really necessary to provide overseas information due to business needs, it shall be assessed in accordance with the exit security assessment methods for personal information and important data; if there are other provisions in laws and administrative regulations, they shall be followed.

Chapter V product and service safety

Article 30 the key network equipment and special products for network security purchased and used by operators shall meet the mandatory requirements of laws, administrative regulations and relevant national standards.

Article 31 Where an operator purchases network products and services that may affect national security, it shall pass the network security review in accordance with the requirements of the measures for the security review of network products and services, and sign a security confidentiality agreement with the provider.

Article 32 the operators shall conduct safety inspection on the systems and software developed by outsourcing and the network products donated by them before their online application.

Article 33 If the operator discovers that there are risks such as security defects and loopholes in the network products and services used, he shall take timely measures to eliminate the potential risks, and if there are major risks involved, he shall report to the relevant departments according to regulations.

Article 34 the operation and maintenance of key information infrastructure shall be implemented within the territory of China. If it is really necessary to carry out overseas remote maintenance due to business needs, it shall be reported in advance to the state industry competent or regulatory department and the Public Security Department of the State Council.

Article 35 institutions that carry out security detection and evaluation for key information infrastructure, release security threat information such as system vulnerabilities, computer viruses and network attacks, and provide services such as cloud computing and information technology outsourcing shall meet relevant requirements.

The specific requirements shall be formulated by the state network information department in conjunction with the relevant departments of the State Council.

Chapter VI monitoring, early warning, emergency response, detection and evaluation

Article 36 the national network and information department shall establish a network security monitoring and early warning system and information notification system for key information infrastructure as a whole, organize and guide relevant institutions to carry out the work of network security information collection, analysis, research and notification, and issue the network security monitoring and early warning information in a unified way in accordance with the provisions.

Article 37 the national industry authorities or regulatory departments shall establish and improve the network security monitoring, early warning and information notification systems for key information infrastructure in their own industries and fields, timely grasp the operation status and security risks of key information infrastructure in their own industries and fields, and report the security risks and relevant work information to the relevant operators.

The national industry director or regulatory department shall organize the study and judgment of the safety monitoring information, and if it is necessary to take immediate preventive measures, it shall timely release the early warning information and suggestions on emergency preventive measures to the relevant operators, and report to the relevant departments in accordance with the requirements of the national network security emergency plan.

Article 38 the state network and information department shall coordinate the relevant departments, operators, relevant research institutions and network security service institutions to establish a network security information sharing mechanism for key information infrastructure and promote the sharing of network security information.

Article 39 in accordance with the requirements of the national network security emergency plan, the national network information department shall coordinate the relevant departments to establish and improve the network security emergency cooperation mechanism for key information infrastructure, strengthen the construction of network security emergency force, and guide and coordinate the relevant departments to organize cross industry and cross regional network security emergency drills.

National industry authorities or regulatory authorities shall organize the formulation of emergency plans for network security incidents in their own industries and fields, and regularly organize drills to improve the response and disaster recovery capabilities of network security incidents. In case of a major network security incident or receiving the early warning information from the network information department, the emergency plan shall be launched immediately to organize the response, and the relevant situation shall be reported in a timely manner.

Article 40 the national industry competent or regulatory authorities shall regularly organize spot checks and tests on the safety risks of key information infrastructure in the industry and in the field and the performance of safety protection obligations by operators, propose improvement measures, guide and urge operators to timely rectify the problems found in the inspection and evaluation.

The national network and information department shall coordinate the spot check and inspection work carried out by relevant departments to avoid cross and repeated inspection and evaluation.

Article 41 the relevant departments shall, when organizing the safety inspection and evaluation of key information infrastructure, adhere to the principles of objectivity, fairness, efficiency and transparency, adopt scientific inspection and evaluation methods, standardize the inspection and evaluation process, and control the inspection and evaluation risks.

The operator shall cooperate with the inspection and evaluation carried out by the relevant departments according to law, and rectify the problems found in the inspection and evaluation in a timely manner.

Article 42 the relevant departments shall organize the safety inspection and assessment of key information infrastructure, and may take the following measures:

(1) require the relevant personnel of the operator to make explanations on the inspection and evaluation;

(2) to consult, retrieve and copy documents and records related to security protection;

(3) to check the formulation and implementation of the network security management system and the planning, construction and operation of the network security technical measures;

(4) using testing tools or entrusting network security service institutions to carry out technical testing;

(5) other necessary means agreed by the operator.

Article 43 the information obtained by relevant departments and network security service institutions in the safety inspection and evaluation of key information infrastructure can only be used for the needs of maintaining network security, and shall not be used for other purposes.

Article 44 the relevant departments shall organize the safety inspection and evaluation of key information infrastructure, and shall not charge the inspected and evaluated units, or require the inspected and evaluated units to purchase the products and services of the designated brands or the designated production and sales units.

Chapter VII Legal Liability

Article 45 If the operator fails to perform the network security protection obligations specified in Article 20, paragraph 1, Article 21, Article 23, Article 24, Article 26, Article 27, Article 28, Article 30, Article 32, Article 33, and Article 34 of these regulations, the relevant competent department shall, in accordance with its duties, order it to make corrections and give it a warning; and refuse to make corrections or guide it If any consequence such as endangering the network security is caused, a fine of not less than 100000 yuan but not more than 1000000 yuan shall be imposed, and the person in charge who is directly responsible for it shall be fined not less than 10000 yuan but not more than 100000 yuan.

Article 46 If an operator, in violation of the provisions of Article 29 of these regulations, stores network data abroad or provides network data abroad, the relevant competent department of the State shall, in accordance with its duties, order it to make corrections, give it a warning, confiscate its illegal income, impose a fine of not less than 50000 yuan but not more than 500000 yuan, and may order it to suspend its relevant business, suspend its business for rectification, close its website and revoke its relevant business license; The persons who are directly in charge and other persons who are directly responsible shall be fined not less than 10000 yuan but not more than 100000 yuan.

Article 47 If an operator, in violation of the provisions of Article 31 of these regulations, uses a network product or service that has not been subject to security review or failed to pass security review, the relevant competent department of the State shall, in accordance with its duties, order it to stop using it and impose a fine of not less than one time but not more than ten times the purchase amount; and impose a fine of not less than 10000 yuan but not more than 100000 yuan on the person in charge and other persons directly responsible.

Article 48 If an individual violates the provisions of Article 16 of these regulations and does not constitute a crime, the illegal income shall be confiscated by the public security organ, and he shall be detained for not more than five days and may also be fined not less than 50000 yuan but not more than 500000 yuan; if the circumstances are relatively serious, he shall be detained for not less than five days but not more than 15 days and may also be fined not less than 100000 yuan but not more than 1000000 yuan; if a crime is constituted, he shall be investigated for criminal responsibility according to law.

If a unit commits any of the acts mentioned in the preceding paragraph, its illegal gains shall be confiscated by the public security organ, and it shall be fined not less than 100000 yuan but not more than 1 million yuan, and the persons who are directly in charge and the other persons who are directly responsible shall be punished in accordance with the provisions of the preceding paragraph.

Those who violate the provisions of Article 16 of these regulations and are subject to criminal punishment shall not engage in the work of key information infrastructure security management and network operation key posts for life.

Article 49 If the operators of key information infrastructure of state organs fail to perform the obligations of network security protection as stipulated in these regulations, they shall be ordered to make corrections by their superior organs or relevant organs; the persons in charge and other persons directly responsible shall be punished according to law.

Article 50 in case of any of the following acts committed by the relevant departments and their staff, the persons who are directly in charge and other persons who are directly responsible shall be punished according to law; if a crime is constituted, criminal responsibility shall be investigated according to law:

(1) to take advantage of his power to ask for or accept bribes in his work;

(2) dereliction of duty or abuse of power;

(3) disclosing information, data and data documents related to key information infrastructure without authorization;

(4) other acts in violation of legal duties.

Article 51 in case of major network security incidents in key information infrastructure, which are determined to be liability accidents through investigation, in addition to the responsibilities of the operation unit and investigation according to law, the responsibilities of relevant network security service organizations and relevant departments shall also be investigated. In case of any dereliction of duty, dereliction of duty or other illegal acts, the responsibilities shall be investigated according to law.

Article 52 Institutions, organizations and individuals outside the people's Republic of China that engage in activities that attack, invade, interfere with or damage key information infrastructure of the people's Republic of China and cause serious consequences shall be investigated for legal responsibility according to law; the public security department, state security organ and relevant departments under the State Council may also decide to freeze property or take other necessary sanctions against such institutions, organizations and individuals.

Chapter VIII supplementary provisions

Article 53 the security protection of key information infrastructure for storing and processing state secret information shall also abide by the provisions of confidentiality laws and administrative regulations.

The use and management of passwords in key information infrastructure shall also comply with the provisions of password laws and administrative regulations.

Article 54 the security protection of key military information infrastructure shall be separately prescribed by the Central Military Commission.

Article 55 these Regulations shall come into force as of.