(The 12th ordinary meeting of the Government of the people of the Autonomous Region of Mongolia, held on 16 November 2011, considered the adoption of the Decree No. 183 of 6 December 2011 of the People's Government of the Autonomous Region of Mongolia, effective 1 February 2012.

Chapter I General

In order to protect the security of computer information systems, this approach has been developed in line with the National People's Republic of China's Computer Information System Safety Protection Regulations and relevant legal regulations, in the context of the self-government area.

Article II applies to the safety and protection of computer information systems in the administration of self-government zones.

Article 3

National security agencies, the confidential work sector, password management and other relevant departments are able to protect computer information systems within their respective responsibilities.

The safety protection of computer information systems should be guaranteed by computers and their associated and accompanying equipment, facilities, cybersecurity, operating environmental safety, security of information, and the proper functioning of computer information systems in order to maintain the safe operation of computer information systems.

Chapter II

The computer information system has a safety hierarchy protection system. The level of security protection is based on the importance of computer information systems in national security, economic construction and social life, and the damage to the computer information system has been undermined by factors such as national security, social order, public interest and legitimate rights of citizens, legal persons and other organizations.

(i) After the destruction of the computer information system, it may cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, without prejudice to national security, social order and public interest, at the first level;

(ii) After the destruction of computer information systems, it may cause serious harm to the legitimate rights and interests of citizens, legal persons and other organizations, or may cause damage to social order and public interests, but not undermine national security, at the second level;

(iii) After the destruction of computer information systems, it may cause serious harm to social order and public interests or may cause harm to national security, at the third level;

(iv) After the destruction of computer information systems, it may cause serious harm to social order and public interests or may cause serious harm to national security, at the fourth level;

(v) After the destruction of computer information systems, it may cause serious harm to national security and rank V.

Article 6

(i) Determination of the level of safety protection of computer information systems and implementation of protection in accordance with the standards of hierarchy of regulations and technical standards;

(ii) The establishment of a new computer information system should determine the level of security protection at the planning, design stage, synchronizing the development of information systems safety protection facilities that meet the requirements of the security protection hierarchy and the implementation of security protection measures;

(iii) Significant changes in the structure of the computer information system, processing processes, content of services, or the requirement of the public security authorities to redefine the hierarchy;

(iv) The use of information security products consistent with national and self-government zones and the acquisition of licences for the sale of specialized national computer information systems safe products, as required by the level of safety protection of computer information systems;

(v) Regular self-execution and rehabilitation of the security conditions, protection systems and measures of the computer information system of this unit;

(vi) Establish safety protection organizations, identify security management responsibilities and designate specialized personnel responsible for the security management of computer information systems in this unit.

Article 7.

Article 8. The public safety authority shall review the material on the delivery of the report within 10 working days of the date of receipt of the request, and provide evidence of compliance with the level of protection requirements. Inadequate or protective measures are not in accordance with technical norms, corrective actions should be communicated in writing to the sending units.

Article 9 computer information systems relate to information such as national security, public interest and major economic construction, who operate, use units or authorities should select a security hierarchy that meets the statutory conditions, and conduct a review of the security hierarchy of computer information systems in accordance with the technical standards established by the State.

Upon completion of the construction of computer information systems at the second level, the identifiers can be used.

Article 10 computer information systems determine the level of protection at the secondary level and should conduct at least once a systematic safety hierarchy at least once a year; establish at the third level a system-wide safety hierarchy should be conducted at least once a year; and determine that at least one half a year, a systematic safety hierarchy should be conducted.

Article 11. Agencies and personnel involved in the security hierarchy of computer information systems should comply with national provisions.

The unit requesting the establishment of a security hierarchy should be based on the first instance of the public security authorities of the self-government, and the assessment of the assessment capacity of the Information Security Assessment Centre of the Ministry of Public Safety.

The Government's public security authority in the self-government area should strengthen the oversight, inspection and guidance of the security hierarchy.

Article 12 At least once a year of inspection of the three-tier computer information system, the fourth level of computer information system is checked at least once a year.

The fifth computer information system should be checked by specialized departments designated by the State.

Chapter III Security management

Article 13. Public security authorities should provide guidance on the safety and protection of computer information systems for the public and conduct safety promotion education.

Article 14. Public security authorities implement a hierarchy of management and recommendation systems for computer information systems safety services.

Article 15. The computer information system safety services should be available to the public security authorities at all levels of the League.

The computer information system safety services should implement the standards for the safety of computer information systems in national and autonomous areas and should be equipped with technical personnel that are adapting to the corresponding security services needs of the country and the self-government area in relation to computer information systems safety standards.

The computer information system security services and their staff shall not disclose user information, such as secrets, commercial secrets and computer information systems network structures, configurations, etc. in the conduct of security services; no illicit possession, use of user information resources; and no concealment in computer information systems.

Article 16, when there are major emergencies that endanger national security, public safety, social stability and security of important computer information systems, may require the relevant units to take appropriate measures in accordance with the relevant laws, regulations. The operation of computer information systems, the use of units should be subject to movement control by public security authorities and national designated sectors.

The operation of basic telecommunications operators and computer information systems, the use of units should be subject to security supervision, inspection, guidance and information on the safety of computer information systems, Internet-based data and other data documents.

The units providing Internet access services such as basic telecommunications operators should implement the following provisions:

(i) To cooperate with the public security authorities in accessing the network networking units and user-friendly desks, authentic, complete registration of networking units and user names, nature, effective documentation, Internet addresses, Internet addresses, accessed telephones, contact points, and timely reporting on changes in network units and users;

(ii) Recording and retaining access to the network's networking units and users' access to the network, exiting Internet time and flagship calls, books, Internet addresses, etc. on-the-board information, with no longer than one year;

(iii) To implement relevant safety protection technical measures to match networking units and user information through Internet addresses and relevant web applications;

(iv) To assist public security authorities in detecting criminal acts involving the Internet and to provide 24 hours of rapid search support, including manual compliance, tele-tranet access;

(v) To assist the public security authorities in the conduct of safe advocacy and protection measures for networking units and users of the network;

(vi) The Internet provides for significant changes to be made, such as structures, communications agreements, and should be reported to the Government's public security authorities in the self-governing area.

Article 19 provides units that provide Internet access services, units providing server hosting or renting space services, Internet information service providers and other relevant telecommunications operators should establish security management systems, implement safety-protection technical measures such as ALTs, and promptly identify criminal activities that endanger the safety of information networks, the dissemination of information on violations on the Internet, retain the original records, take timely steps to delete, stop transmission, etc., and report to local public security authorities within 24 hours.

Article 20 provides security protection measures, such as the introduction of high safety passwords, the regular modification of passwords and the security of the gates used.

The basic telecommunications operators can take dynamic password certification techniques to provide Internet access services for networking units and users.

Article 21, networking units and users provide Internet access services to other units, individuals or other units, personal networks and book numbers, shall be subject to the relevant provisions of the State and be backed by the public security authorities of the people of the flag district.

Sections that provide Internet access services and more than 10 Internet-based networking units through local domain networks should be installed and operated in compliance with the security management system established by national and autonomous areas.

Article 23 provides Internet access services such as guests, hotels, restaurants, airports, vehicle stations, accessories, and access to Internet sites, as well as users of access to safe technology measures, and checks and registers of valid documents such as Internet users' identification cards.

Article 24 provides for the use of an internal web address to be transferred to Internet Internet sites, and information such as the end-of-user hardware address should be recorded and retained in the user's interface with internal web addresses and Internet web addresses. The stay was not less than one year.

Article 25 Production, sale or provision of products and tools with computer information systems remote control, password interpretation, loophole testing, information distribution functions should be reported to the Government of the People's Government of the autonomous region or its designated public safety authority.

Chapter IV Security order

Article 26

(i) The security management system of computer air fleets;

(ii) Security responsibility regime;

(iii) virus, cybersecurity testing and systems upgrading systems;

(iv) System-based safety risk management and emergency disposal systems;

(v) The management system for registration and operation of authority in the accounts;

(vi) The functions of security managers;

(vii) Important equipment, media management systems;

(viii) The publication of a review, registration, preservation, clearance and backup system;

(ix) The management system of information services;

(x) Security education and training systems;

(xi) Cases, incidents reports and assistance to the identification system;

(xii) Other security-related management systems.

Article 27 Operational and use of computer information systems should take the following safety-protection technical measures:

(i) The lengthy or redundant measures of key parts of the system;

(ii) Computer HIV control measures;

(iii) Web attacks on prevention and tracing measures;

(iv) Safety audits and early warning measures;

(v) The operation of the system and the user's record of the retention of more than one year;

(vi) Recording user accounts, flag calls and web addresses measures;

(vii) Identification and identification measures;

(viii) garbage information, control of harmful information and clean-up measures;

(ix) Measures to limit the information pool;

(x) Other technical measures to protect the safety of computer information systems.

No units or individuals may use computer information systems, mobile newsletter terminal production, dissemination and reproduction of the following information:

(i) To endanger national unity, sovereignty and territorial integrity;

(ii) Disclosure of State secrets that endanger national security or undermine national honour and interests;

(iii) incitement to national hatred, national discrimination, destruction of national unity or violations of national customs and customs;

(iv) Destabilize national religious policies and promote philosophicalism and envelope;

(v) Dispersing rumours, issuing false information, disrupting social order and undermining social stability;

(vi) Instigation and damage to the public interest of society;

(vii) Promotion of obscene, pornography, cascabo, violence, murder and terror;

(viii) To instigate or teach methods of crime;

(ix) Dispersion of privacy of others, insults, defamation, intimidation of others and violations of the legitimate rights and interests of others;

(x) Participation in examination in activities that are ill-related;

(xi) Trafficking in vouchers, vouchers, false invoices, falsely false commodities, firearms, ammunition, explosives, meals, thefts and other laws, regulations prohibiting the circulation of goods;

(xii) Laws, regulations prohibit the production, dissemination and reproduction of other information.

No unit or individual shall commit the following acts:

(i) Access to computer information systems or unlawful possession, use and stealing computer information systems resources without permission;

(ii) Delete, modifying, increasing or disrupting computer information systems functions without permission;

(iii) To delete, modify or increase data and applications stored, processed or transmitted in computer information systems without permission;

(iv) The use of computer information systems for theft of accounts and passwords by others, or the unauthorized issuance of books and passwords to third parties;

(v) Illegal interception, alteration, removal of e-mail or other data;

(vi) The deliberate production, dissemination of destructive procedures such as computer viruses and malicious software;

(vii) The use of computer information systems for the production, dissemination of information on behalf of others, or the use of cybermail in other ways;

(viii) The establishment or management of websites, groups, forums and other forums for the dissemination, exchange of information on criminal offences;

(ix) To permit, releasing the information prohibited by article 28 on all or managed websites, web pages and clusters;

(x) Provision of services such as server hosting, virtual flagship, network storage space for illicit websites or direct and indirect funding for them, including through advertising;

(xi) Clear that illegal websites provide Internet access, communication channels, charging, cost-saving services, etc.;

(xii) To disperse, remove information on the Internet and violate the legitimate rights and interests of others for profit;

(xiii) Methods, procedures, tools for intrusion, unlawful control of computer information systems;

(xiv) Other use of computer information systems prohibited by law, regulations.

Chapter V Legal responsibility

Article 31, in violation of articles 6, 9, 10, 17, 181 to 4, 19, 26 and 27 of this approach, is subject to a warning by the public security authority to the extent that the proceeds of the violation are made and forfeiture the proceeds of the law;

Article 31, in violation of article 15, paragraph 3, of this approach, imposes a fine of up to 5,000 dollars for the head of the unit and other direct responsibilities, which is subject to a fine of more than 5,000 dollars for the unit; and the proceeds of the offence may be punished by a fine of between 1 and three times the proceeds of the violation, except for the confiscation of proceeds of the violation.

In violation of article 20, paragraph 1, of this approach, the time limit for a public security authority to be corrected and warned; in the absence of a change in the prescribed period, it could be granted six months to stop networking, stop the air conditioning.

Article 33, in violation of article 22, article 23, article 24 of this approach, is subject to a fine of up to US$ 150,000 for the unit by a time limit of public security authority, warning of the proceeds of the violation, confiscation of proceeds of the law, failure to be changed within the prescribed deadline, and penalties for the head of the unit and other direct responsibilities are imposed by a fine of up to 5,000 for the unit; serious circumstances, and punishable by 6 months for the cessation of the network, the closure of the aircraft.

Article 34, in violation of article 288 of this approach, article 29, provides for warning by public security authorities, fines that may be imposed on individuals and will be 5,000, which may be fined to the unit and amount to US$ 150,000, and if the proceeds of the offence are confiscated, a fine of between 1 and three times the proceeds of the violation may be imposed, but not more than 300,000 dollars, in serious circumstances, and punishable by 6 months for the cessation of the network, the closure of the aircraft.

Article XV contains one of the following acts by a public security authority, which imposes a fine of up to 5,000 dollars for the head of the unit responsible and other direct responsibilities, and imposes a fine of up to 5,000 dollars for the unit; and the proceeds of the violation may be fined between 1 and 3 times the proceeds of the offence, except for the confiscation of proceeds of the violation, but the maximum shall not exceed 300,000 dollars:

(i) Non-exploitation activities through assessment capacity assessment;

(ii) Impacts on the regular operation of the computer information system, which endangers the security of the computerized information system;

(iii) Releasing to third parties the verification of the operation of computer information systems, the secrets of units and other information;

(iv) The deliberate concealment of the security problems identified during the assessment process, or the misleading of leave during the assessment process, and the absence of an assessment report;

(v) The unauthorized possession, use of metric information and data documents;

(vi) Sub-contracting or redirecting evaluation projects;

(vii) The development, sale and security of information systems for the development, sale and information systems dedicated to the safety of specialized products in computer information systems, or the limitation of the purchase, use and use of the designated information security-specific products by the assessment units;

(viii) Other possible impacts on the objective, impartial conduct of the assessment, or the conduct of the assessment in accordance with national provisions.

Article 36, in violation of this approach, constitutes a violation of the provisions of the Law on the Safety and Security of the People's Republic of China, which imposes losses on the State, other organizations or other property, shall be held in accordance with the law, and shall be held criminally liable by law.

Article 37: Public security authorities and other relevant departments and their staff have one of the following acts, and administratively disposed of directly responsible personnel by law; constituted criminality by law.

(i) To request, receive bribes, or toys negligence and abuse of authority;

(ii) Disclosure of relevant information, information and data documents for the operation of computer information systems, the use of units or individuals;

(iii) Other non-compliance with statutory responsibilities.

Annex VI

The computer information system referred to in Article 338 this approach refers to the personal machine systems that are processed by computers and their associated and accompanying equipment, facilities, networks, in accordance with certain application objectives and rules, for the collection, processing, storage, transmission, retrieval, etc.

The information security ratings described in this approach refer to testing, evaluation and judgement of the security situation in computer information systems.

The security services described in this approach refer to units operating in the area of computer information systems safety design, construction, testing, maintenance, supervision, counselling, training.

The approach refers to internet units and users, including through computer or handicraft, to access Internet units and users, such as linear, wireless.

Article 39 of this approach is implemented effective 1 February 2012.