Public security organs at or above the county level shall be responsible for the safety supervision and management of networks and information systems within their respective administrative areas.
State security organs, state secrecy departments, information industry departments and other relevant departments at or above the county level shall be responsible for the related work of network and information system security management within their respective responsibilities. Article 3 The network and information system shall implement the security level protection system. The following units are involved in the basic information network and the security of important information systems related to national security, economic lifeline and social stability, and shall be given special protection:
(1) organs at all levels; ?
(2) Banks, insurance, securities and other financial institutions; ?
(3) postal and telecommunications units; ?
(four) radio, television, press and publication units; ?
(five) key energy users such as electricity, coal, gas and fuel oil; ?
(six) aviation, railways and key roads, water transport and other transport units; ?
(seven) water conservancy and water supply units; ?
(eight) important material reserve units; ?
(nine) key project construction units; ?
(ten) large industrial and commercial, information technology enterprises; ?
(eleven) key scientific research and education institutions; ?
(twelve) social emergency service institutions such as medical and health care, fire protection and emergency rescue;
(thirteen) other units that need protection. ? Article 4 The key protected networks and information systems shall meet the following security protection requirements:
(a) the safety of the computer room and the external environment, equipment and media meets the requirements of relevant laws, regulations, rules and standards;
(two) with risk analysis, backup and recovery, disaster recovery and other information operation safety protection measures;
(3) Having information security protection measures such as operating system security, database security, network security, virus protection and access control, as well as security protection measures to prevent illegal invasion and attack of networks and information systems;
(4) Using special products for network and information system security with administrative license certificates such as Sales License for Special Products for Computer Information System Security;
(five) the establishment of network and information system security management institutions or equipped with full-time or part-time network and information system security personnel, specifically responsible for network and information system security protection. Article 5 The key protected networks and information systems engaged in international networking business or providing Internet services to the public shall meet the following security protection requirements in addition to the provisions of Article 4:
(a) with more than 60 days of system operation and user use log records;
(2) There are measures to record the calling telephone number or network address of users;
(3) Having measures for user identity registration, identification and confirmation;
(4) Having safety protection measures such as spam filtering and harmful information control;
(five) the installation of safety management software and hardware stipulated by the state. Article 6 Users of key protection networks and information systems shall establish the following security protection systems:
(a) the computer room safety management system;
(two) the appointment and removal of the person in charge of safety management and the responsibility system for safety;
(3) Network security vulnerability detection and security system upgrade management system;
(4) Operating authority management system;
(5) User registration system;
(six) the system of examination, registration, preservation, deletion and backup of information release;
(seven) the public information service management system. ? Article 7 Full-time or part-time network and information system security personnel equipped with key protection networks and information systems shall obtain the qualification of information security professionals recognized by the state. Those who have not obtained the qualification of information security professionals shall undergo professional training organized by public security organs at or above the county level or in conjunction with relevant departments, and pass the examination.
Network and information system security personnel shall implement the annual professional assessment system. Eighth network and information system security integration, by the network and information system security integration capabilities of the unit to undertake. ?
Units engaged in the security integration of key protection networks and information systems shall obtain the integration qualification recognized by relevant state departments, and be equipped with technicians who can meet the needs of security integration and master the security standards of relevant networks and information systems. ?
The network and information system security integration unit shall file with the public security organs at or above the state (city) level, and accept the supervision and inspection of the public security organs. ? Article 9 When engaging in the security integration of key protection networks and information systems, the security integration unit shall implement the national security protection standards for networks and information systems, hand over all materials to users of networks and information systems in a timely manner after the security integration is completed, and be responsible for keeping confidential the network structure and configuration of the security integration system and the state secrets and business secrets known in the security integration. It is forbidden to set up covert channels in a secure and integrated network and information system. ? Tenth key protection network and information system before the new construction, renovation and expansion, users should report the safety measures to the competent public security organs for the record. ?