Guiyang City, The Computer Information Network Security Management Approach

Original Language Title: 贵阳市计算机信息网络安全保护管理办法

Read the untranslated law here: http://www.chinalaw.gov.cn/article/fgkd/xfg/dfzfgz/201209/20120900376500.shtml

Guiyang City, the computer information network security management approach

    (May 21, 2012 Executive meeting of the Guiyang municipal people's Government on May 25, 2012, Guiyang municipal people's Government released 5th come into force on July 1, 2012) Chapter I General provisions

    First to strengthen the computer information network security management, promote the healthy development of informatization construction, safeguard the legitimate rights and interests, public interests and social stability, according to the People's Republic of China laws and regulations such as the regulations on protection of computer information system security, combined with the city's actual, these measures are formulated.

    Second administrative area of the city within the purview of management of computer information network security management, application of this approach.

    Involving State secrets of computer information system in accordance with the relevant privacy laws and regulations shall apply.

    Computer information network security article adhere to the "conservation and management" and "who is in charge of who, who is responsible for operations, who is responsible for" principle.

    Fourth of municipal, district (city, County) people's Governments shall strengthen leadership of the computer information network security management, the integration of this work into the people's Governments at the corresponding level of social management comprehensive examination and annual targets.

    Fifth of municipal public security organs shall be responsible for the city's computer information network security management, network of its Security Department is in charge of computer information network security management daily.

    District and County (City) public security organs in accordance with the functions and powers, be responsible for the area of computer information network security management.

    Organs of State security and secrets, passwords, business, culture, radio, film and television, the industry and information, monitoring and other relevant administrative departments, in accordance with their respective responsibilities, to do the computer information network security management related work.

    Computer network operations, and use of information, should be in accordance with the regulations of computer information network security management related work.

    Chapter II supervision and administration

    Sixth article in computer information network security management of public security organs shall perform the following duties:

    (A) guiding, supervising and checking the computer information network, using the units set up to implement the necessary safety protection system and security protection of technical measures;

    (B) guidance, supervision and inspection of computer information networks of public information service, information classified security protection and security of computer information network security services and so on, found in the public information containing the information listed in article 24th of this approach, it shall notify the unit of computer information network operations and service be deleted and, if necessary, discontinue the sender's network services in accordance with law;

    (C) handle the related formalities of computer information network;

    (D) is responsible for handling cases of endangering computer information network security events, reporting, reporting, survey and collect the relevant evidence in situ, to investigate and punish violations of the safety management of computer information networks violations;

    (V) guidance or organization computer network operations, and use computer information network security of computer information network security training of personnel;

    (Vi) is responsible for the management of the computer virus prevention and cure;

    (VII) computer information networks and major emergencies occur, threatening the national security, public safety, social stability and important computer information network security emergency, in accordance with legal procedures after submitting them for approval, requires units to take emergency control measures;

    (VIII) other duties stipulated by laws, rules and regulations.

    Article seventh State security organs are responsible for matters of national security and administration of computer information network, investigate and punish the use of computer information network violation that endangers national security.

    Article eighth secrecy administrative departments according to law on guarding State secrets for computer information network supervision and administration.

    Nineth password management departments should strengthen the password products in computer information systems and use of the monitoring, inspection and guidance, regular password in computer information system classified security protection allocation, use and management of inspection and evaluation, and training of operation and management of cryptographic products use.

    Password management in the process of supervision and inspection found safety hazards and violations of password management rules or does not meet the password requirements, should be handled in accordance with the provisions related to password management.

    Article tenth computer network operations, use the unit shall perform the following duties:

    (A) this unit is responsible for computer information network security management, establish and improve the security management system, implementation of security protection measures, ensuring the network security and information security;

    (B) is responsible for the safety of network-related user education and training;

    (C) public information contains hazard information network security, harmful data or network violations, should immediately stop transmitting illegal content, the retention of the original record, report within 24 hours of the local public security organ;

    (D) assist, cooperate with the public security organs, the national security agency and other departments to investigate and punish violations committed;

    (E) to the police, the State security organs and other relevant departments to provide computer information system security information, Internet based data and other data files;

    (Vi) other duties stipulated by laws, rules and regulations.

    Chapter III security

    11th in computer information system classified security protection system.

    Computer information system security levels are divided into five levels, established principles, standards, and the level of security, and manage content in accordance with the relevant provisions of the State.

    Secret-involved information system should be based on national information security classified protection of basic requirements in accordance with relevant regulations and technical standards, combined with the protection system.

    12th computer information networks operate, and use shall be in accordance with the relevant management practices and technical standards of computer information system security level.

    Computer information system of the building, rebuilding, expansion, operation, and use should be planning, design of computer information system security level and construction meets the requirements of the security level of information security facilities, implementation of security protection measures.

    Computer information system planning, construction, operation and use the unit of computer information system security facilities planning, construction, should be used in line with State regulations, and meet the needs of computer information system security information security products.

    13th second-level and second-level computer operation, and use of information networks, to city public security organs shall, in accordance with the following provisions apply for network security classification filing procedures:

    (A) the new computer information networks, from the date it is put into operation in the 30th;

    (B) has been running the computer information network, from the date of implementation of this approach in the 30th;

    (C) the computer information network and the structure, processes, services such as change, from the date of change in the 30th.

    14th computer information network, using units shall establish and implement the following security management system:

    (A) the safety management system of computer room;

    (B) the safety responsibility system and confidentiality;

    (C) verification system, register and update the user registration information;

    (D) account using the registration rights management system;

    (E) the safety Manager job responsibilities;

    (F) important equipment and media management systems;

    (VII) information distribution audit, registration, storage, removal and backup systems;

    (VIII) information security education and training systems;

    (I) the information network security emergency response system;

    (10), event reporting and assist in the investigation of the case system;

    (11) other security protection system should be established and implemented.

    15th computer information networks operate, and use should be strictly in accordance with the Internet security technology measures regulations and the provisions of other relevant laws, regulations, and rules implementing security measures.

    16th computer information network operations, using units shall improve their daily inspection work of the computer information network security situation, in accordance with the relevant management practices and technical standards for computer information network on a regular basis for evaluation and self-examination of its security situation, evaluation and self-examination, do not meet the requirements, should be timely rectification.

    17th computer information networks operate, and use computer information system should be developed emergency preparedness for major emergencies.

    Computer information network when major emergencies occur, its operation, and use shall be in accordance with the emergency preparedness requires timely processing, and obedience to the police and other authorities designated schedule.

    Violation of the confidentiality provisions of the State or may still disclosing State secrets leaks, should take immediate measures, and reports by relevant organs, units, organs or entities concerned should be dealt with immediately, report to the local administrative Department of organs of State security or secrecy, and to retain the original recording.

    Article 18th Internet service providers, Internet users, shall from the date of Internet connectivity in the 30th, the network has been connected from the date of implementation of this approach in the 30th, to the municipal public security network security application filing procedures. Internet service provider shall register the user's real data.

    User profile changes, shall from the date of change in the 30th, the public security organs to the original filing, security guard application filing procedures.

    Article 19th unit shall establish and improve information system of Internet information services, audit staff clear information found belongs to the article 24th of information shall immediately remove illegal content, save the original records, and report to the local police, the national security agency, relating to other parts of the report to the relevant administrative departments.
Provides electronic messaging, online gaming and other instant messaging services, computer information networks should use a fixed network address on the Internet, record and retain the user registration information.

    20th using internal network addresses and Internet network access to the Internet using network address translation unit shall record and retain user terminal hardware addresses, information and correspond to the internal network and Internet network addresses, and retained for more than 60 days.

    21st lawfully established Internet online service business premises should strictly implement the relevant provisions of the regulations on the administration of business sites of Internet access services on the Internet, regularly its network security and related information submitted to the public security organs with administrative privileges Network Security Department.

    22nd non-profit Internet service provider unit, shall comply with the following requirements:

    (A) to provide Internet access services within 15th of already provide Internet service from the date of implementation of this approach in the 15th, to the local public security organ Network Security Department to apply formalities;

    (B) the address of its legal representative, location, network and other changes since the date of the above changes in the 15th, to the original filing of public security organs to apply record-keeping procedures;

    (C) installation, operation and meet the national security infrastructure, and public security organs information management platform for networking, and to ensure its normal operation;

    (D) with wireless access to the Internet services shall record and retain user information and Internet terminal hardware address that corresponds to the information. 23rd computer information network security services shall be established by law.

    In this city should be engaged in related business activities in carrying out operational activities in the 30th before, already operates from the date of implementation of this approach in the 30th, to the municipal public security network security application filing procedures.

    Computer information network security services and its staff shall comply with the following requirements:

    (A) in accordance with the provisions of the relevant laws, regulations and technical standards for information security services;

    (B) in the service process, learned not to disclose State secrets, business secrets and the secrets of computer information systems technology;

    (C) the unlawful possession or use of a user's information resources;

    (D) may not be set in the computer information system covert channel.

    24th no unit or individual may make use of the computer information network, publishing, dissemination of information containing the following content:

    (A) against the basic principles prescribed in the Constitution;

    (B) endanger national security, leaking State secrets, subverting state power, undermine national unity;

    (C) harm national honour, and the public interest;

    (D) incitement to ethnic hatred or ethnic discrimination, undermining national unity, or violate ethnic customs;

    (E) destruction country religion policy, publicizes the cults and the feudal superstition;

    (Vi) spread rumors, disturbs social order and undermine social stability;

    (VII) encouraging public comments and public release others privacy or by implication, innuendo, personal attacks on others;

    (VIII) an affront others or fabricating facts to slander others;

    (IX) for illegal activities on behalf of the community;

    (J) the sale of items prohibited by laws and regulations;

    (11) the illegal trade laws and regulations restricting the circulation of goods constitutes a threat to public safety;

    (12) contain obscenity, pornography, gambling, violence, fraud, terrorism and so on, or abetting the Commission of crimes and crime method;

    (13) other contents prohibited by laws, rules and regulations.

    25th no units or individuals shall engage in the following activities endangering computer information network security and order:

    (A) unauthorized access to computerized information systems or the unlawful possession, use, theft of computer information systems resources and (ii) without the permission of computer information system functions to delete, modify, add, or interference, (iii) without the permission of computer information storage, processing or transmission of data and application to delete, modify or add to;

    (D) destroyed computer information network environment, facilities and equipment;

    (E) stealing, theft, tampering, destruction of other network resources;

    (Vi) intentionally producing and disseminating, using computer viruses, malware, and other destructive programs, or make, publish, reproduce, spreading destructive programs or the mechanism, the source of the information;

    (G) intentionally block, obstruct, interrupt transmission of computer information network, malicious use of your network resources;

    (VIII) use of computer information network against others will post information, used the name of another person;

    (I) knowing that a unit or my computer information network the network address, hosting space and other resources have been exploited, is likely to jeopardize the safety of computer information network activities and it does not stop;

    (J) the unauthorized use of computer information network to collect, use, provide, trade proprietary information of others;

    (11) other acts that jeopardize computer information network security and order.

    The fourth chapter penalty

    26th State organs, State-owned enterprises and institutions in charge of violation of these rules, resulting in serious consequences, in accordance with the relevant provisions of administrative sanctions.

    Police and other government departments who violate these rules, dereliction of duty, abuse of authority or who, by their work units or by the competent authorities, supervisory organs in accordance with the relevant provisions to deal with it.

    27th article violates these rules, any of the following circumstances, within the purview of management by public security organs in a warning, be ordered to rectify; fails to make corrections, shall be given within 6 months down reorganization:

    (A) failure to establish levels of computer information system security;

    (B) the filing formalities for change of procedures or not;

    (C) specified time reporting major accidents occurred in the computer information systems;

    (D) computer information system security infrastructure is not in accordance with the national information security classified protection management planning, construction and technical standards.

    28th article violates these rules, any of the following circumstances, within the purview of management by public security organs in a warning, be ordered to rectify; it fails to, the nature of the business of the unit between 1000 and 500 Yuan Yuan fine, on the nature of the business units more than 1000 Yuan and 10,000 yuan fine:

    (A) not carried out according to relevant regulations of the State of computer information systems class evaluation and self-examination of its security situation, or evaluation and self-examination does not meet the requirements without timely corrective action;

    (B) relevant departments against a computer information network security and suspected violations in accordance with law, investigations, does not provide relevant information, Internet based data and other data files;

    (C) formulation of computer information systems major emergency treatment plan, or not processed in a timely manner when an emergency occurs that is not subject to scheduling by the departments concerned.

    29th article violates these rules, failure to establish and implement computer information network security management system, or not implementing security technology protection measures, within the purview of management by public security organs in accordance with the international networking of computer information network security management approach of the article 21st of the regulations will be punished.

    Article 30th Internet online service business premises and business units in violation of the relevant regulations, in accordance with the relevant provisions of the regulations on the administration of business sites of Internet access services on the Internet will be punished.

    31st by obtaining the business license of Internet online service business premises according to law, no justification beyond the statutory deadline was not opened after opening or ceases to meet the conditions for legal business license revocation, cancellation, by the place of Administration for industry and commerce registration authority where administrative permissions revoked, cancelled its license.

    Article 32nd unit or individual in contravention of this article 24th, 25th the circumstances prescribed in, within the purview of management by public security organs in accordance with the People's Republic of China Public Security Administration Punishment Act and the management of the computer information network and Internet security provisions and other regulations will be punished.

    33rd article violates these rules, other laws, rules and regulations on administrative penalties, according to law.

    Article 34th for, without administrative rights, the violations and report to the higher authorities shall be handled with administrative privileges.

    The fifth chapter by-laws

    35th herein, the following terms mean:

    (A) "computer network" means made up of computers and related equipment, according to a certain goal and rules are applied to the information collection, processing, storage, transmission, retrieval, and processing of human-machine systems, including computer information systems that are not connected to the Internet (LAN), and access (including wireless access) Internet computer information systems;

    (B) "computer information network security", including the safe operation of the computer information network and information security;

    (C) "computer network operations, and use of information" refers to all interaction with computer information systems managers, users, including Internet access services, Internet data centre services, Internet information services, Internet access services, networking (including wireless access) units, computer information systems that are not connected to the Internet (LAN), using units;

    (D) "major emergency", refers to the widespread dissemination of harmful information, the proliferation of cyber attacks, virus outbreaks and other hazards computer information network security for major events;

    (V) "Internet service provider" refers to users with Internet access services, Internet data centre services, Internet information services and Internet access services;

    (F) "network users" refers to the application requires Internet connection and use of the unit;
(G) "Internet data center services unit" refers to providing hosting, rental units and virtual space rental services;

    (H) "computer information network security services", refers to computer information network security design, construction, testing, maintenance, supervision, advice, training, evaluation and other business units;

    (I) "electronic bulletin board service" is on the Internet with forums, chat rooms, message boards, blogs, Twitter and other forms of interaction present conditions of information publishing behavior for Internet users. 36th article of the rules take effect on July 1, 2012.