Inner Mongolia Autonomous Region, Computer Information System Security Measures

Original Language Title: 内蒙古自治区计算机信息系统安全保护办法

Read the untranslated law here: http://www.chinalaw.gov.cn/article/fgkd/xfg/dfzfgz/201205/20120500368193.shtml

Inner Mongolia autonomous region, computer information system security measures

    (November 16, 2011 people's Government of Inner Mongolia autonomous region, the 12th Executive meeting on December 6, 2011 183th promulgated by the people's Government of Inner Mongolia as of February 1, 2012) Chapter I General provisions

    First for the protection of computer information system security, in accordance with the People's Republic of China regulations on protection of computer information system security and related laws and regulations, combined with State practice, these measures are formulated.

    Second approach applies security protection of computer information system in the administrative areas of the autonomous region.

Article III flag in the people's Governments above the county level shall be responsible for the administration of public security protection of computer information system security.

    National security authority, the security sector, password management and other departments concerned in security protection of computer information system within their respective mandates.

    Article fourth of computer information system security, should protect the computer and its related and ancillary equipment, facilities, networks, security, environment security, guarantee the security of information, protect the computer functions properly in order to maintain safe operation of computer information system.

    Chapter II classified security protection Article fifth in computer information system classified security protection system.

Security levels according to the computer information systems at the national security, economic and social life of importance, computer information system after damage to national security, social order and public interests against the legitimate interests of citizens, legal persons and other organizations determine the level and other factors, is divided into five levels.

(A) after the destruction of the computer information system, may cause damage to the legitimate rights and interests of citizens, legal persons and other organizations, without prejudice to national security, social order and public interests for the first level;

(B) after the destruction of the computer information system, may cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or may cause harm to social order and the public interest, without prejudice to national security, as the second level;

(C) after the destruction of the computer information system, may cause serious harm to social order and the public interest, or may cause damage to national security, a grade III;

(D) after the destruction of the computer information system, may cause exceptionally grave harm to social order and public interests, or may cause serious harm to national security, for the fourth grade;

    (E) after the destruction of computer information systems, could cause exceptionally grave damage to national security, for the fifth grade.

Article sixth operation, and use of computer information systems shall comply with the following requirements:

(A) accurate grading of computer information system security levels and protection norms and technical standards according to the classified protection management;

(B) the new computer information systems, and should determine security level in the planning, design, construction meets the requirements of the security level information system security facilities, implementation of security protection measures;

(C) the structure of computer information systems, significant changes in the processes, services, content, or requires the redefinition of public security organs should reclassification;

(D) under computer information system security level, using national and State regulations and national information security of computer information system security product license product;

(E) on a regular basis the unit of computer information system security, protection systems and measures for self-examination and rectification;

    (F) establish a security organization, identified safety management responsibility, assign full-time staff in charge of the unit of computer information system security management.

    Seventh article second level above computer information system operation, and using units, should since determine security grade of day up 30th within, to location au Administrative Office, and set district of City Government police organ or its specified of accepted institutions record; belongs to autonomous regions unified networking, and across au city or Central Standing autonomous regions, and autonomous regions directly under the units of computer information system, should to autonomous regions Government police organ or its specified of accepted institutions record. Eighth public security organs should be received within 10 working days from the date of filing to review materials submitted for the record, to meet the protection requirements, issues the registration certificate.

    Graded inaccurately, or protection measures do not comply with technical specifications, shall notify the submitting unit to remedy the situation.

Nineth computer information systems involving State security and social and public interests, major of economic information, the operation, use units or departments should select the security level that meets the statutory requirements assessment agencies, based on the national standards for computer information system security assessment of the situation.

    After the completion of the second-level establishment of computer information system and evaluation before they can be put into use.

    Tenth article identified as the second-level protection of computer information systems, should be conducted at least once every two years the system security level assessments, identified as category III, should be conducted at least once a year the system security level assessments, identified as the fourth level and above shall be conducted at least once every six months the system security level evaluation.

11th in computer information system classified security assessment agencies and personnel should abide by State regulations.

Application security assessment agency units of public security organs shall be approved by the municipality of first instance, and, through the Ministry of public security information classified security protection assessment centre assessment of competency assessment.

    Autonomous region public security organs should strengthen security level evaluation institutions under supervision, inspection and guidance. 12th people's Governments above the county-level public security organs should be on the computer information system operations, and use of information classified security protection checks.

Third grade computer information system checks at least once a year, on the fourth level of computer information systems inspected at least once every six months.

    On the fifth level of computer information systems, should be specifically designated by the State Department for examination.

    Chapter III safety management

    13th public security organs should be made available to the public of computer information system security guidance on safety publicity and education.

    14th public security organs computer information system security services implementation classification management and referral system.

15th computer information systems security services should be to the Union City-level public security organ for the record.

Computer information system security services should implement national and autonomous regions for computer information system security standards, shall be equipped with adapted to carry out appropriate security services needs, control of the State and autonomous region for computer information system security standards technical staff.

    Computer information system security services and their staff shall not disclose in the security services was informed that in the course of State secrets, trade secrets, and computer information systems network architecture, configuration, and user information; unlawful possession or use of a user's information resources, may not be set in the computer information system covert channel. 16th major emergency endangering national security, public safety, social stability and important computer information system security emergencies, Union City-level public security organs in accordance with the provisions of relevant laws and regulations, and requested the authorities to take the appropriate control measures.

    Computer information systems operations, and use should be subject to public security organs and designated by the State Department's schedule.

    17th base of Telecom and computer information systems operations, and use shall be subject to a public security organ safety supervision and inspection, guidance, and truthfully provide information about computer information system security information, Internet based data and other data files.

18th Basic Telecom operators to provide Internet access services, Enterprise unit shall implement the following:

(A) with the public security organs and make access to the networking unit, and a user's record, true, accurate and complete registration of Internet names, properties, and user ID, Internet address, machine addresses, Internet telephone, contact information of public security organ for the record, submitted to the public security organs at the same level, and promptly report changes to this networking unit, and a user on the network;

(B) recording and storage networking units and users access the network login, exit the Internet time and caller ID, account numbers, access log information such as Internet addresses, saving time not less than 1 year;

(C) the implementation of technical measures for security protection, Internet address and related network and application information to the corresponding Internet unit and user information;

(D) assist the public security organs to investigate Internet-related crimes, and artificial unattended, remote network provides 24-hour support for fast query such as query;

(E) assist the public security organs to access the network and the Internet and user security awareness education, implementation of security protection measures;

    (Vi) Internet topologies, protocols and other significant adjustments to be carried out, shall be submitted to the Government of a public security organ for the record before implementation.

    19th article provides Internet access service of units, and provides server managed or rental space service of units, and Internet information service provides who and the other about telecommunications business operators should established security management system, take exception flow and illegal information monitoring, security technology measures, timely found against information network security, and online spread illegal information, illegal crime activities, retained about original records, timely take delete, and stop transmission, measures, and in 24 hours within local police organ report.

Article 20th networking units and users shall take security measures such as setting high security password, change your password regularly to protect Internet security.

    Basic Telecom operators can take technical measures such as dynamic password authentication for networked units and provide users with Internet access.

    21st networking units and subscribers to other units or individuals to provide Internet service or using the Internet, with other units and individuals accounts shall comply with the relevant provisions of the State and to the people's Governments above the county-level public security organ for the record.
22nd provides Internet service and access to the Internet over a LAN user terminals in the network of more than 10 units should be installed, run in accordance with national and State requirements of safety management systems.

    Article 23rd guesthouses, hotels, restaurants, airports, stations, reading room provides Internet services such as site and site manager of the wirelessly connected to the Internet, users log in safety measures should be taken, and to check the user's ID is a valid document, registration. 24th uses an internal network address network address translation network access to the Internet and Internet units, shall be recorded and retained the user Internet access hardware address information and correspond to the internal network and Internet network addresses.

    Retention time of not less than 1 year.

    25th production, sales or provide computer information systems for remote control, password guess solution, vulnerability detection, information products and tools group, shall be designated by the public security organ or the people's Government of the autonomous region public security organ for the record.

    The fourth chapter security order

Of 26th computer information systems operations, using units shall establish a safety management system and perform the following:

(A) the safety management system of computer room;

(B) the safety responsibility system;

(C) viruses, network security vulnerabilities detection and system upgrades, System;

(D) security risk management and emergency handling system;

(E) account using the registration rights management system;

(F) the safety Manager job responsibilities;

(VII) important equipment and media management systems;

(VIII) information review, registration, storage, removal and backup systems;

(I) information management systems of mass service;

(J) safety education and training system;

(11), event reporting and assist in the investigation of the case system;

    (12) other security-related management systems.

27th computer information systems operations, units should take the following safety measures:

(A) an important part of the system of redundant or backup measures;

(B) computer virus prevention measures;

(C) the network attack prevention and tracing measures;

(D) security audits and early warning;

(E) the system and users logging more than 1 years measures;

(F) record user account, call the phone number and Web address measures;

(VII) to confirm registration and recognition measures;

(H) the spam and harmful information, cleaning up prevention and control measures;

(I) restrictions on mass information measures;

    (10) other technical measures for the protection of computer information system security.

28th no unit or individual may use the computer information system, mobile communication terminal production, dissemination, copy the following information:

(A) harm national unity, sovereignty and territorial integrity;

(B) disclose State secrets, endangers national security or harm national honor and national interests;

(C) incitement to ethnic hatred or ethnic discrimination, undermining national unity, or violate ethnic customs and traditions;

(D) destruction country religion policy, publicizes the cults and the feudal superstition;

(E) spread rumors, published false information, disrupt social order and undermine social stability;

(Vi) incite juzhongzishi, harming the public interest;

(VII) promoting obscenity, pornography, gambling, violence, murder, terrorism;

(H) the instigator or the crime of imparting criminal methods;

(IX) dissemination of others ' privacy, insult, slander, threaten others, infringe the legitimate rights and interests;

(10) engaged in cheating-related activities;

(11) the trafficking in counterfeit money, fake documents and fake invoices, fake and shoddy goods, firearms, ammunition, explosives, drugs, bugs and other items prohibited by laws and regulations;

    (12) the laws and regulations prohibiting the production, dissemination, and replication for additional information.

29th no unit or individual is allowed to implement the following acts:

(A) unauthorized access to computerized information systems or the unlawful possession, use, theft of computer information system resources;

(B) without the permission of computer information system functions to delete, modify, add, or interference;

(C) without the permission of computer information storage, processing or transmission of data and application to delete, modify or add to;

(D) use stolen account numbers and passwords of computer information systems, or open another user ID and password to a third party without authorization;

(E) illegal interception, tampering, delete others ' e-mail or other data;

(Vi) intentionally producing and disseminating computer viruses, malware, and other destructive programs;

(VII) use of counterfeit production, dissemination of information on behalf of computer information systems, or by any other means of online fraud;

(H) the establishment or management is mainly used for dissemination, exchange of criminal information, groups, forums and so on;

(I) the allowed, let the others in all, or managed Web sites, Web pages, information prohibited by the Group posted on the 28th;

(J) the illegal websites to provide server hosting, virtual hosting, network services such as storage space, or through advertising, to direct and indirect funding;

(11) knowingly illegal websites, providing them with access to the Internet, communication channels, fees, costs and settlement services;

(12) for the purpose of profit, spreading over the Internet, deleted information, infringe upon their legitimate interests;

(13) provide method of intrusion, illegal control of computer information systems, procedures and tools;

    (14) other use prohibited by laws, regulations, implementation of computer information systems.

    The fifth chapter legal liability 30th article violation this approach sixth article, and Nineth article, and tenth article, and 17th article, and 18th article first to fourth items, and 19th article, and 26th article, and 27th article provides of, by police organ ordered deadline corrected, give warning, has illegal proceeds of, confiscated illegal proceeds; in provides of deadline within not corrected of, on units of competent is responsible for personnel and other directly responsibility personnel sentenced 5000 Yuan following of fine, on units sentenced 15000 Yuan following of fine,

    Recommends that the competent authorities of the relevant units of the main disciplined leadership are serious and can within 6 months stop networking, shut down for rectification of punishment.

    31st violates the 15th paragraph these measures by the public security organs in charge of the unit responsible for the personnel and other staff in charge shall be fined not more than 5000 Yuan, more than 5000 Yuan for units of up to 15000 fine; there is illegal income, apart from the confiscation of illegal income, and may impose a fine of illegal gains between 1 and 3 times times, but shall not exceed a maximum of 30000 Yuan.

    32nd breach of the first paragraph of this article 20th, a rectification by public security organs and give a warning; is not corrected within the prescribed period may be given within 6 months stop networking, down reorganization of punishment.

    33rd article violation this approach 22nd article, and 23rd article, and 24th article provides of, by police organ ordered deadline corrected, give warning, has illegal proceeds of, confiscated illegal proceeds; in provides of deadline within not corrected of, on units of competent is responsible for personnel and other directly responsibility personnel sentenced 5000 Yuan following of fine, on units sentenced 15000 Yuan following of fine; plot serious of, and can give 6 months within stop networking, and downtime reorganization of punishment.

    34th article violation this approach 28th article, and 29th article provides of, by police organ give warning, on personal can and at 5000 Yuan following of fine, on units can and at 15000 Yuan following of fine; has illegal proceeds of, except confiscated illegal proceeds outside, can sentenced illegal proceeds 1 to 3 times times of fine, but highest shall not over 30000 Yuan; plot serious of, and can give 6 months within stop networking, and downtime reorganization of punishment.

35th article engaged in computer information system security grade evaluation work of units and personnel has following behavior one of of, by police organ on units competent is responsible for personnel and other directly responsibility personnel sentenced 5000 Yuan following of fine, on units sentenced 5000 Yuan above 15000 Yuan following of fine; has illegal proceeds of, except confiscated illegal proceeds outside, can sentenced illegal proceeds 1 to 3 times times of fine, but highest shall not over 30000 Yuan:

(A) failed the evaluation competency assessment, engage in assessment activities;

(B) impact evaluation of computer information systems work, hazard evaluation of computer information system security;

(C) the unauthorized disclosure to a third party assessment of computer information systems operations, and use of confidential and other information;

(D) intentionally concealing safety problems found in the evaluation process, or fraud in the assessment process, does not provide the evaluation report;

(V) the unauthorized possession, use and evaluation of relevant information and data files;

(Vi) evaluation of subcontracting or to subcontracting projects;

(G) engaged in computer information system security product development, sales and integration of information system security, or qualified evaluation unit was purchased, using the specified information security products;

    (VIII) other acts that may affect the test result is objective, fair, or evaluation work carried out was not in accordance with State regulations.

    36th article violates these rules, activities contravening public security management, in accordance with the People's Republic of China public security management punishment law provides punishment; causes losses to the State, other organizations, or the property of others, shall bear civil liability, constitute a crime, criminal responsibility shall be investigated according to law.

37th public security organs and other relevant departments and their staff, one of the following acts, to managers directly responsible and other persons directly responsible shall be given administrative sanctions constitutes a crime, criminal responsibility shall be investigated according to law.

(A) the power to ask for or accept bribery or dereliction of duty, abuse;

(B) disclosure of computer information systems operations, units or individual-related information, resources and data files;

    (C) fails to perform the statutory duties.

    The sixth chapter supplementary articles

Article 38th of computer information systems in these measures refers to computer and related and supporting equipment, facilities, networks, according to certain rules of application goals and information collection, processing, storage, transmission, retrieval, and processing of human-machine system.

Information security evaluation mentioned in these measures refers to computer information system security testing, evaluation, and judgment of the situation.

Security services mentioned in these measures refers to computer information system safety design, construction, testing, maintenance, supervision, advice, training and other business units.
Networking units and users in these measures including through computer or mobile phones and other communication terminals wired and wireless units and users, including access to the Internet.

    39th these measures come into force February 1, 2012.