The information system for storing and handling state secrets is classified information system, which is protected at different levels according to the classification, and its security and confidentiality management is implemented in accordance with relevant state secrecy laws, regulations and standards. Article 3 The public security organs of provinces, cities and counties (including county-level cities and districts, the same below) are responsible for the security management of information systems.
National security, telecommunications, security, password management and other departments, within the scope of their respective duties, do a good job in information system security management. Article 4 Information system operators and users shall ensure the safety of computers and their related and supporting equipment and facilities (including networks), the operating environment and information security, and maintain the safe operation of information systems. Article 5 No organization or individual may commit acts that endanger the security of information systems, engage in activities that endanger national security, social order and public interests by using information systems, or infringe upon the legitimate rights and interests of citizens, legal persons and other organizations. Sixth provincial public security organs and provincial telecommunications authorities shall establish a work coordination mechanism and improve information security measures. The relevant administrative departments shall cooperate with the public security organs to do a good job in punishing illegal crimes that endanger the security of information systems. Chapter II Security Level Protection Article 7 Information systems shall implement a security level protection system. According to the importance of information systems and the degree of harm to national security, social order, public interests and the legitimate rights and interests of citizens, legal persons and other organizations, information systems are divided into the following five levels:
(a) the information system is damaged, which will harm the legitimate rights and interests of citizens, legal persons and other organizations, but will not harm national security, social order and public interests, which is the first level;
(two) the information system is damaged, which will cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or damage to social order and public interests, but does not endanger national security, which is the second level;
(3) If the information system is destroyed, it will cause serious damage to social order and public interests, or damage to national security, which is the third level;
(four) the information system is destroyed, which will cause particularly serious damage to social order and public interests, or cause serious damage to national security, which is the fourth level;
(five) after the information system is destroyed, it will cause particularly serious damage to national security, which is the fifth level. Article 8 Information system operators and users shall determine the information system security protection level according to the national information system security level protection management norms and technical standards, and follow the principles of independent classification, independent protection and performance of obligations and responsibilities.
Information systems that operate across provinces or across the country in a unified network can be determined by the competent departments of the information system operating and using units. Article 9 Operators and users of information systems shall establish a security management system, implement technical measures for security protection, and determine responsible institutions and personnel in accordance with the relevant technical specifications of national information system security level protection. Article 10 Units operating and using information systems shall determine the security protection level of information systems at the planning and design stage, and at the same time build security facilities that meet the requirements of security protection level, and use technical products that meet the relevant provisions of the state and can meet the requirements of security protection level.
Has been put into operation but does not meet the requirements of safety protection level, technical measures should be taken to remedy or rebuild. Eleventh in any of the following circumstances, the information system operation and use unit shall go to the local public security organ for the record:
(a) the information system that has been put into operation at or above the second level shall be filed with the municipal public security organ within thirty days after the level of security protection is determined; The newly-built information system above Grade II shall be filed with the municipal public security organ within thirty days after it is put into operation;
(2) Branch systems and information systems belonging to provincial units operating in a unified network across provinces or across the country shall be filed with the provincial public security organs by the provincial telecommunications authorities and provincial units, except that the superior departments in charge of provincial branches shall file with the relevant departments of the State Council;
(three) due to major changes in the information system structure, processing flow, service content, etc., the level of security protection has changed, and it should be re-filed with the public security organ that originally accepted the filing within 30 days from the date of the change.
The public security organ shall conduct an audit within ten working days from the date of receiving the filing materials. In line with the requirements of security level protection, the "Information System Security Level Protection Record Certificate" will be issued; Do not meet the requirements of security level protection, inform in writing and explain the reasons. Twelfth information system operators and users shall, in accordance with the relevant provisions of the state and technical standards, carry out information system security level protection assessment and self-examination.
The information system operation and use unit shall record the grade evaluation report for future reference, and at the same time file it with the public security organ that accepts the record.
Did not meet the requirements of security level protection, information system operation and use of units should be timely rectification.