中國政府要求公開評論保護中國關鍵基礎設施 // Chinese Government Requests Public Comment on Securing China Critical Infrastructure

中國政府要求公開評論保護中國關鍵基礎設施

Chinese Government Requests Public Comment on Securing China Critical Infrastructure

Notice of the National Internet Information Office on the Public Opinion on the Protection of Key Information Infrastructure Security Regulations (Draft for Soliciting Opinions)

    In order to ensure the security of key information infrastructure, according to the “Internet Security Law of the People’s Republic of China”, we will draft the “Key Information Infrastructure Safety Protection Regulations (draft)” with the relevant departments. The relevant units and people of all walks of life may submit their views by August 10, 2017 by:

First, by mail to the views sent to: Xicheng District, Beijing Chegongzhuang Street on the 11th National Internet Information Office Network Security Coordination Bureau, Zip code 100044, and in the envelope marked “comments”.

Second, by e-mail to: security@cac.gov.cn.

 

Annex: Key information infrastructure security regulations (draft)

 

National Internet Information Office

 July 10, 2017

Key information infrastructure security regulations

(Draft)

Chapter 1 General Provisions

    Article 1 These Regulations are enacted in accordance with the Network Security Law of the People’s Republic of China in order to ensure the safety of key information infrastructures.

Article 2 These Regulations shall apply to the planning, construction, operation, maintenance and use of key information infrastructures within the territory of the People’s Republic of China and the protection of key information infrastructures.

Article 3 The key information infrastructure security protection adhere to the top design, overall protection, coordination, division of labor is responsible for the principle, give full play to the role of the main operation, the active participation of all parties to jointly protect the key information infrastructure security.

Article 4 The competent department of national industry or the supervisory department shall be responsible for guiding and supervising the protection of key information infrastructure in the industry and in the field in accordance with the division of responsibilities stipulated by the State Council.

State network letter department is responsible for coordinating the key information infrastructure security protection and related supervision and management work. The State Council public security, national security, state secrecy administration, national password management and other departments within their respective responsibilities are responsible for the relevant network security protection and supervision and management work.

The relevant departments of the local people’s governments at or above the county level shall carry out the key information infrastructure safety protection work in accordance with the relevant provisions of the State.

Article 5 The operator of the key information infrastructure (hereinafter referred to as the operator) shall bear the responsibility for the security of the key information infrastructure of the unit, perform the obligation of network security protection, accept the government and social supervision, and bear social responsibility.

The country encourages network operators outside key information infrastructures to participate voluntarily in critical information infrastructure protection systems.

Article 6 Key information infrastructure In the network security level protection system, based on the implementation of key protection.

Article 7 Any person or organization who discovers the safety of the infrastructure of the critical information infrastructure shall have the right to report to the department of the letter, telecommunications, public security and industry supervisors or supervisors.

The department that receives the report shall handle it in a timely manner and if it does not belong to the duties of the department, it shall promptly transfer the department to be handled.

The relevant departments shall keep the relevant information of the whistleblower and protect the legitimate rights and interests of the whistleblower.

 

Chapter II Support and Safeguard

    Article 8 The State shall take measures to monitor, defend and dispose of network security risks and threats arising from the territory of the People ‘s Republic of China, protect the critical information infrastructure from attack, intrusion, interference and destruction, and punish the criminal activities of the Internet according to law.

Article 9 The State shall formulate policies such as industry, finance, taxation, finance and personnel, support the innovation of key information infrastructure related technologies, products and services, promote safe and reliable network products and services, train and select network security personnel, and improve key information The level of safety of the infrastructure.

Article 10 The State shall establish and improve the network security standard system and use standard guidance to standardize the work of key information infrastructure security protection.

Article 11 The people ‘s governments at or above the municipal level shall incorporate the key information infrastructure security protection into the overall planning of the economic and social development of the district, increase the investment and carry out the evaluation and evaluation of the work performance.

Article 12 The State encourages government departments, operators, scientific research institutions, network security services, industry organizations, network products and service providers to carry out key information infrastructure security cooperation.

Article 13 The competent department of industry or the supervisory department of the State shall set up or clarify the institutions and personnel who are responsible for the protection of key information infrastructure in the industry and in this field, and compile and organize the implementation of the industry, the network security planning in the field, and establish a sound work Funding protection mechanism and supervise the implementation.

Article 14 Energy, telecommunications, transportation and other industries shall provide key support and support for power supply, network communication, transportation and other aspects of emergency management and network function restoration of key information infrastructure network security incidents.

Article 15 Public security organs and other departments shall, according to law, investigate and punish illegal and criminal activities against and use key information infrastructures.

Article 16 Any individual or organization shall not engage in any of the following activities and actions that endanger the critical information infrastructure:

(I) attacks, intrusion, interference, and destruction of critical information infrastructures;

(B) illegally obtaining, selling or unauthorized access to information such as technical information that may be used exclusively for the safety of critical information infrastructures;

(Iii) unauthorized penetration of critical information infrastructures, aggressive scanning detection;

(D) knowing that others are engaged in activities that endanger the security of key information infrastructure and still provide assistance such as Internet access, server hosting, network storage, communication transmission, advertising promotion, payment settlement and so on;

(E) other activities and actions that endanger the critical information infrastructure.

Article 17 The State shall safeguard the network security based on the open environment and actively carry out international exchanges and cooperation in the field of key information infrastructure security.

 

Chapter 3 Key Information Infrastructure Scope

    Article 18 The network facilities and information systems operated and managed by the following units shall be included in the scope of protection of key information infrastructures in the event of damage, loss of function or data leakage, which may seriously endanger the national security, the people’s livelihood and the public interest.

(A) government agencies and energy, finance, transportation, water conservancy, health care, education, social security, environmental protection, public utilities and other sectors of the unit;

(B) telecommunications networks, radio and television networks, the Internet and other information networks, and provide cloud computing, large data and other large public information network services units;

(3) scientific research and production units in the fields of national defense science and technology, large-scale equipment, chemical industry, food and medicine industry;

(4) news units such as radio stations, television stations and news malls;

(5) other key units.

Article 19 The State Network Letter Department shall, in conjunction with the competent departments of telecommunications under the State Council and the public security departments, formulate guidelines for the identification of key information infrastructure.

National industry supervisors or regulators organize identification of the industry and key information infrastructures in the field in accordance with the key information infrastructure identification guidelines and submit the identification results according to the procedures.

Key information infrastructure identification process, should give full play to the role of experts, improve the identification of key information infrastructure identification accuracy, rationality and scientific.

Article 20 If a major change in the key information infrastructure or key information infrastructure has occurred, the operator shall promptly report the relevant situation to the national competent or supervisory department.

The national industry supervisor or the supervisory department shall promptly carry out the identification and adjustment according to the situation reported by the operator and submit the adjustment according to the procedure.

 

Chapter IV Operator Safety Protection

    Article 21 The construction of a key information infrastructure shall ensure that it has the performance of supporting the stable and continuous operation of the business and ensures that the safety and technical measures are synchronized, synchronized and synchronized.

Article 22 The principal responsible person of the operator is the first person responsible for the safety protection work of the key information infrastructure of the unit. It is responsible for establishing and perfecting the network security responsibility system and organizing the implementation, and is fully responsible for the security protection of the key information infrastructure of the unit.

Article 23 The operator shall, in accordance with the requirements of the network security level protection system, perform the following security protection obligations to protect the critical information infrastructure from interference, damage or unauthorized access to prevent the leakage or theft of the network data:

(1) to formulate internal safety management systems and operating procedures, strict identity authentication and rights management;

(B) to take technical measures to prevent computer viruses and network attacks, network intrusion and other hazards to network security behavior;

(3) to take technical measures to monitor and record the operation status of the network and the network security incident, and keep the relevant network log in accordance with the regulations for not less than six months;

(D) to take data classification, important data backup and encryption authentication and other measures.

Article 24 In addition to Article 23 of these Regulations, the operator shall perform the following safety and protection obligations in accordance with the requirements of national laws and regulations and the mandatory requirements of the relevant national standards:

(A) set up a dedicated network security management and network security management, and the person in charge and key positions for security background review;

(2) regularly carry out network security education, technical training and skills assessment for employees;

(C) of the important systems and databases for disaster recovery, in time for system vulnerabilities and other security risks to take remedial measures;

(D) the development of network security incident contingency plans and regular exercise;

(5) other obligations stipulated by laws and administrative regulations.

Article 25 The person in charge of network security management of the operator shall perform the following duties:

(1) to formulate network security rules and regulations, operational procedures and supervise the implementation;

(2) organizing the skills assessment of key positions;

(3) to formulate and implement the network safety education and training program of the unit;

(4) to organize network security checks and emergency drills to deal with the handling of network security incidents;

(5) to report to the relevant departments of the country on network security important matters, events.

Article twenty-sixth operators of network security key positions of professional and technical personnel to implement the system of certificates.

The specific provisions of the promulgation of posts by the State Council human resources and social security departments in conjunction with the State Network letter and other departments to develop.

Article 27 Operators shall organize the training of network safety education for employees. Each year, the training time shall not be less than one working day, and the number of professional and technical personnel in key positions shall not be less than 3 working days per year.

Article 28 The operator shall establish and improve the safety assessment and evaluation system for the key information infrastructure, and carry out the safety inspection and evaluation when the key information infrastructure is on or after the major changes.

The operator shall, at its own expense, entrust the network security service organization to carry out at least one annual inspection and evaluation of the safety and possible risk of the key information infrastructure, rectify the problems found in time and report the relevant situation to the national industry supervisor or the supervisory department The

Article 29 Personal information and important data collected and produced by the operator in the operation of the People’s Republic of China shall be stored in the territory. For business needs, it is necessary to provide overseas, should be in accordance with personal information and important data outbound security assessment methods to assess; laws, administrative regulations otherwise provided, in accordance with its provisions.

 

Chapter 5 Product and Service Security

    Article 30 The key equipment and network security special products purchased and used by the operators shall comply with the requirements of laws and administrative regulations and the mandatory requirements of relevant national standards.

Article 31 Where an operator purchases a network product and service that may affect the security of the State, it shall, through the network security review, sign a security confidentiality agreement with the provider in accordance with the requirements of the safety inspection method of the network product and service.

Article 32 Operators shall carry out safety testing on the system, software, and donated network products that have been developed for outsourcing.

Article 33 Where an operator finds that there is a risk of security defects or loopholes in the use of the network products and services, it shall promptly take measures to eliminate the risks and involve significant risks in reporting to the relevant departments.

Article 34 The operation and maintenance of key information infrastructures shall be implemented in the territory. Due to business needs, do need to remote maintenance, should be reported to the national industry executives or regulatory authorities and the State Council public security departments.

Article 35 Institutions that carry out safety assessment and evaluation, publish security threats such as system vulnerabilities, computer viruses, and network attacks for key information infrastructures, provide services such as cloud computing and information technology outsourcing, shall meet the relevant requirements.

The specific requirements by the State Network letter department in conjunction with the relevant departments of the State Council to develop.

 

Chapter 6 Monitoring, Early Warning, Emergency Handling and Testing

    Article 36 The national network communication department shall co-ordinate the establishment of the key information infrastructure network security monitoring and early warning system and the information communication system, organize and guide the relevant agencies to carry out the network security information summary, analyze and judge the report, and publish the network security monitoring and early warning information according to the regulations The

Article 37 The competent department of industry or the supervisory department of the State shall establish and improve the network security monitoring and early warning and information reporting system of the key information infrastructure in this industry, and keep abreast of the industry, the operation status of the key information infrastructure in the field and the security risks, Inform the operator about safety risks and related work information.

The national industry supervisor or the supervisory department shall organize the judgment of the safety monitoring information, and if it is necessary to take immediate preventive measures, it shall promptly issue the early warning information and emergency preventive measures to the relevant operators and, in accordance with the requirements of the national network security incident contingency plan, Relevant departments report.

Article 38 The national network communication department shall coordinate the relevant departments, operators and relevant research institutions and network security service agencies to establish a network information sharing mechanism for key information infrastructure and promote the sharing of network security information.

Article 39 In accordance with the requirements of the national network security incident contingency plan , the State Network shall, in accordance with the requirements of the national network security incident contingency plan, coordinate the relevant departments to establish and perfect the key information infrastructure network security emergency coordination mechanism, strengthen the network security emergency power construction, and coordinate the relevant departments to organize cross- Regional network security emergency drills.

National industry supervisors or regulators should organize the development of the industry, the field of network security incident contingency plans, and regularly organize exercises to enhance the network security incident response and disaster recovery capabilities. After major network security incidents or early warning information received by the network letter department, should immediately start the contingency plan to respond, and timely report on the situation.

Article 40 The competent department of national industry or the regulatory department shall regularly organize the inspection and inspection of the safety risks of the industry and the key information infrastructure in the field and the performance of the operators’ performance of safety protection, and propose measures to improve the supervision and supervision of the operators in time The problems found in the assessment.

State network letter department co-ordinate the relevant departments to carry out the spot checks to prevent cross-testing and evaluation.

Article 41 The relevant departments shall organize the assessment and evaluation of the key information infrastructure safety, and shall adhere to the principle of objectivity, impartiality, efficiency and transparency, adopt a scientific evaluation and evaluation method, standardize the inspection and evaluation process and control the risk of testing and evaluation.

Operators should be carried out by the relevant departments to implement the assessment and assessment to the assessment of the problems found in time for rectification.

Article 42 The relevant departments may organize the following measures to carry out the safety inspection and evaluation of key information infrastructure:

(1) requiring the relevant personnel of the operator to make a statement on the examination and evaluation;

(B) access to, retrieval, reproduction and safety protection related documents, records;

(C) to view the network security management system development, implementation and network security technical measures planning, construction, operation;

(4) to use the testing tools or commissioned by the network security services for technical testing;

(5) other necessary means agreed by the operator.

Article 43 The information obtained by the relevant departments and the network security service organizations in the assessment of key information infrastructure safety inspection and evaluation can only be used for the maintenance of network security and shall not be used for other purposes.

Article 44 The relevant departments shall organize the assessment of the security of the key information infrastructure, and shall not charge the units to be tested and tested, and shall not require the persons to be tested and appraised to purchase the designated brand or the products and services of the designated production and sales units.

 

Chapter VII Legal Liability

    Article 45 An operator shall fail to perform the provisions of Article 20, Paragraph 1, Article 21, Article 23, Article 24, Article 26, Article 27, and Article 2 Article 18, Article 30, Article 32, Article 33, Article 34 of the network security protection obligations, by the relevant authorities in accordance with their duties ordered to correct, give a warning; refused to correct or Resulting in damage to the network security and other consequences, at a fine of more than 100,000 yuan a million yuan, the person in charge directly responsible for more than 10,000 yuan more than 100,000 yuan fine.

Article 46 Where an operator violates the provisions of Article 29 of these Regulations, he or she shall, in accordance with his / her duties, make corrections, give a warning, confiscate the illegal income, And shall be ordered to suspend the relevant business, suspend business for rectification, close the website, revoke the relevant business license; the person directly in charge and other directly responsible persons shall be fined not less than 10,000 yuan but not more than 100,000 yuan The

Article 47 Where an operator violates the provisions of Article 31 of these Regulations and uses the network products or services that have not passed the security examination or security examination, the relevant competent department of the State shall order it to cease to use and double the purchase amount More than ten times the fine; the person in charge directly responsible and other directly responsible persons at a fine of not less than 10,000 yuan but not more than 100,000 yuan.

Article 48 Where an individual violates the provisions of Article 16 of these Regulations and does not constitute a crime, the public security organ shall confiscate the illegal gains and shall be detained for less than five days and shall be fined not less than 50,000 yuan but not more than 500,000 yuan; Shall be imposed a fine of not less than 100,000 yuan but not more than one million yuan; if the case constitutes a crime, the criminal responsibility shall be investigated according to law.

If the unit has any of the acts mentioned in the preceding paragraph, the public security organ shall confiscate the illegal gains and impose a fine of not less than 100,000 yuan but not more than one million yuan and impose penalties on the directly responsible person in charge and other directly responsible persons in accordance with the provisions of the preceding paragraph.

Violation of the provisions of Article XVI of the Ordinance, the criminal punishment of personnel, life shall not be engaged in key information infrastructure security management and network operations key positions in the work.

Article 49 Where the operator of a key information infrastructure of a state organ fails to perform the obligations of the network security protection provided for in these Regulations, the superior organ or the relevant organ shall order it to make corrections; and the person directly in charge and other directly responsible persons shall be punished according to law.

Article 50 Where any of the following departments and their staff members commits any of the following acts, the directly responsible person in charge and other directly responsible persons shall be punished according to law; if a crime is constituted, criminal responsibility shall be investigated according to law:

(A) in the work of the use of authority to obtain, accept bribes;

(B) neglect of duty, abuse of authority;

(Iii) unauthorized disclosure of relevant information, information and data files of key information infrastructures;

(4) other acts that violate statutory duties.

 Article 51 Where a major cyber security incident occurs in a critical information infrastructure, the responsibility for the investigation shall be identified, and the responsibility for the relevant network security service and relevant departments shall be identified in addition to the investigation of the responsibility of the operating unit and the investigation , For dereliction of duty, dereliction of duty and other violations, shall be held accountable.

Article 52 If the organs, organizations and individuals engaged in attack, intrusion, interference, or damage to the key information infrastructure of the People’s Republic of China cause serious consequences, they shall be investigated for legal responsibility according to law; the public security department of the State Council and the State security organ And the relevant departments and may decide to impose a frozen property or other necessary sanctions on the institution, organization or individual.

 

Chapter VIII Supplementary Provisions

    Article 53 The security protection of key information infrastructures involved in the storage and handling of information concerning state secrets shall also be subject to the provisions of confidentiality laws and administrative regulations.

Critical information infrastructure in the use and management of passwords, should also comply with the password laws and administrative regulations.

 Article 54 The security protection of military key information infrastructures shall be separately stipulated by the Central Military Commission.

Article 55 These Regulations shall enter into force on the date of ****.

Original Mandarin Chinese:

關鍵信息基礎設施安全保護條例
(徵求意見稿)

第一章 總則
第一條 為了保障關鍵信息基礎設施安全,根據《中華人民共和國網絡安全法》,制定本條例。
第二條 在中華人民共和國境內規劃、建設、運營、維護、使用關鍵信息基礎設施,以及開展關鍵信息基礎設施的安全保護,適用本條例。
第三條 關鍵信息基礎設施安全保護堅持頂層設計、整體防護,統籌協調、分工負責的原則,充分發揮運營主體作用,社會各方積極參與,共同保護關鍵信息基礎設施安全。
第四條 國家行業主管或監管部門按照國務院規定的職責分工,負責指導和監督本行業、本領域的關鍵信息基礎設施安全保護工作。
國家網信部門負責統籌協調關鍵信息基礎設施安全保護工作和相關監督管理工作。國務院公安、國家安全、國家保密行政管理、國家密碼管理等部門在各自職責範圍內負責相關網絡安全保護和監督管理工作。
縣級以上地方人民政府有關部門按照國家有關規定開展關鍵信息基礎設施安全保護工作。
第五條 關鍵信息基礎設施的運營者(以下稱運營者)對本單位關鍵信息基礎設施安全負主體責任,履行網絡安全保護義務,接受政府和社會監督,承擔社會責任。
國家鼓勵關鍵信息基礎設施以外的網絡運營者自願參與關鍵信息基礎設施保護體系。
第六條 關鍵信息基礎設施在網絡安全等級保護製度基礎上,實行重點保護。
第七條 任何個人和組織發現危害關鍵信息基礎設施安全的行為,有權向網信、電信、公安等部門以及行業主管或監管部門舉報。
收到舉報的部門應當及時依法作出處理;不屬於本部門職責的,應當及時移送有權處理的部門。
有關部門應當對舉報人的相關信息予以保密,保護舉報人的合法權益。

第二章 支持與保障
第八條 國家採取措施,監測、防禦、處置來源於中華人民共和國境內外的網絡安全風險和威脅,保護關鍵信息基礎設施免受攻擊、侵入、干擾和破壞,依法懲治網絡違法犯罪活動。
第九條國家製定產業、財稅、金融、人才等政策,支持關鍵信息基礎設施安全相關的技術、產品、服務創新,推廣安全可信的網絡產品和服務,培養和選拔網絡安全人才,提高關鍵信息基礎設施的安全水平。
第十條 國家建立和完善網絡安全標準體系,利用標準指導、規範關鍵信息基礎設施安全保護工作。
第十一條 地市級以上人民政府應當將關鍵信息基礎設施安全保護工作納入地區經濟社會發展總體規劃,加大投入,開展工作績效考核評價。
第十二條 國家鼓勵政府部門、運營者、科研機構、網絡安全服務機構、行業組織、網絡產品和服務提供者開展關鍵信息基礎設施安全合作。
第十三條國家行業主管或監管部門應當設立或明確專門負責本行業、本領域關鍵信息基礎設施安全保護工作的機構和人員,編制並組織實施本行業、本領域的網絡安全規劃,建立健全工作經費保障機制並督促落實。
第十四條 能源、電信、交通等行業應當為關鍵信息基礎設施網絡安全事件應急處置與網絡功能恢復提供電力供應、網絡通信、交通運輸等方面的重點保障和支持。
第十五條 公安機關等部門依法偵查打擊針對和利用關鍵信息基礎設施實施的違法犯罪活動。
第十六條 任何個人和組織不得從事下列危害關鍵信息基礎設施的活動和行為:
(一)攻擊、侵入、干擾、破壞關鍵信息基礎設施;
(二)非法獲取、出售或者未經授權向他人提供可能被專門用於危害關鍵信息基礎設施安全的技術資料等信息;
(三)未經授權對關鍵信息基礎設施開展滲透性、攻擊性掃描探測;
(四)明知他人從事危害關鍵信息基礎設施安全的活動,仍然為其提供互聯網接入、服務器託管、網絡存儲、通訊傳輸、廣告推廣、支付結算等幫助;
(五)其他危害關鍵信息基礎設施的活動和行為。
第十七條 國家立足開放環境維護網絡安全,積極開展關鍵信息基礎設施安全領域的國際交流與合作。

第三章 關鍵信息基礎設施範圍
第十八條 下列單位運行、管理的網絡設施和信息系統,一旦遭到破壞、喪失功能或者數據洩露,可能嚴重危害國家安全、國計民生、公共利益的,應當納入關鍵信息基礎設施保護範圍:
(一)政府機關和能源、金融、交通、水利、衛生醫療、教育、社保、環境保護、公用事業等行業領域的單位;
(二)電信網、廣播電視網、互聯網等信息網絡,以及提供雲計算、大數據和其他大型公共信息網絡服務的單位;
(三)國防科工、大型裝備、化工、食品藥品等行業領域科研生產單位;
(四)廣播電台、電視台、通訊社等新聞單位;
(五)其他重點單位。
第十九條 國家網信部門會同國務院電信主管部門、公安部門等部門製定關鍵信息基礎設施識別指南。
國家行業主管或監管部門按照關鍵信息基礎設施識別指南,組織識別本行業、本領域的關鍵信息基礎設施,並按程序報送識別結果。
關鍵信息基礎設施識別認定過程中,應當充分發揮有關專家作用,提高關鍵信息基礎設施識別認定的準確性、合理性和科學性。
第二十條 新建、停運關鍵信息基礎設施,或關鍵信息基礎設施發生重大變化的,運營者應當及時將相關情況報告國家行業主管或監管部門。
國家行業主管或監管部門應當根據運營者報告的情況及時進行識別調整,並按程序報送調整情況。

第四章 運營者安全保護
第二十一條 建設關鍵信息基礎設施應當確保其具有支持業務穩定、持續運行的性能,並保證安全技術措施同步規劃、同步建設、同步使用。
第二十二條 運營者主要負責人是本單位關鍵信息基礎設施安全保護工作第一責任人,負責建立健全網絡安全責任制並組織落實,對本單位關鍵信息基礎設施安全保護工作全面負責。
第二十三條 運營者應當按照網絡安全等級保護製度的要求,履行下列安全保護義務,保障關鍵信息基礎設施免受干擾、破壞或者未經授權的訪問,防止網絡數據洩漏或者被竊取、篡改:
(一)制定內部安全管理制度和操作規程,嚴格身份認證和權限管理;
(二)採取技術措施,防範計算機病毒和網絡攻擊、網絡侵入等危害網絡安全行為;
(三)採取技術措施,監測、記錄網絡運行狀態、網絡安全事件,並按照規定留存相關的網絡日誌不少於六個月;
(四)採取數據分類、重要數據備份和加密認證等措施。
第二十四條 除本條例第二十三條外,運營者還應當按照國家法律法規的規定和相關國家標準的強制性要求,履行下列安全保護義務:
(一)設置專門網絡安全管理機構和網絡安全管理負責人,並對該負責人和關鍵崗位人員進行安全背景審查;
(二)定期對從業人員進行網絡安全教育、技術培訓和技能考核;
(三)對重要係統和數據庫進行容災備份,及時對系統漏洞等安全風險採取補救措施;
(四)制定網絡安全事件應急預案並定期進行演練;
(五)法律、行政法規規定的其他義務。
第二十五條 運營者網絡安全管理負責人履行下列職責:
(一) 組織製定網絡安全規章制度、操作規程並監督執行;
(二)組織對關鍵崗位人員的技能考核;
(三)組織製定並實施本單位網絡安全教育和培訓計劃;
(四)組織開展網絡安全檢查和應急演練,應對處置網絡安全事件;
(五)按規定向國家有關部門報告網絡安全重要事項、事件。
第二十六條 運營者網絡安全關鍵崗位專業技術人員實行執證上崗制度。
執證上崗具體規定由國務院人力資源社會保障部門會同國家網信部門等部門製定。
第二十七條 運營者應當組織從業人員網絡安全教育培訓,每人每年教育培訓時長不得少於1個工作日,關鍵崗位專業技術人員每人每年教育培訓時長不得少於3個工作日。
第二十八條 運營者應當建立健全關鍵信息基礎設施安全檢測評估制度,關鍵信息基礎設施上線運行前或者發生重大變化時應當進行安全檢測評估。
運營者應當自行或委託網絡安全服務機構對關鍵信息基礎設施的安全性和可能存在的風險隱患每年至少進行一次檢測評估,對發現的問題及時進行整改,並將有關情況報國家行業主管或監管部門。
第二十九條 運營者在中華人民共和國境內運營中收集和產生的個人信息和重要數據應當在境內存儲。因業務需要,確需向境外提供的,應當按照個人信息和重要數據出境安全評估辦法進行評估;法律、行政法規另有規定的,依照其規定。

第五章 產品和服務安全
第三十條 運營者採購、使用的網絡關鍵設備、網絡安全專用產品,應當符合法律、行政法規的規定和相關國家標準的強制性要求。
第三十一條 運營者採購網絡產品和服務,可能影響國家安全的,應當按照網絡產品和服務安全審查辦法的要求,通過網絡安全審查,並與提供者簽訂安全保密協議。
第三十二條 運營者應當對外包開發的系統、軟件,接受捐贈的網絡產品,在其上線應用前進行安全檢測。
第三十三條 運營者發現使用的網絡產品、服務存在安全缺陷、漏洞等風險的,應當及時採取措施消除風險隱患,涉及重大風險的應當按規定向有關部門報告。
第三十四條 關鍵信息基礎設施的運行維護應當在境內實施。因業務需要,確需進行境外遠程維護的,應事先報國家行業主管或監管部門和國務院公安部門。
第三十五條 面向關鍵信息基礎設施開展安全檢測評估,發布系統漏洞、計算機病毒、網絡攻擊等安全威脅信息,提供雲計算、信息技術外包等服務的機構,應當符合有關要求。
具體要求由國家網信部門會同國務院有關部門製定。

第六章 監測預警、應急處置和檢測評估
第三十六條國家網信部門統籌建立關鍵信息基礎設施網絡安全監測預警體系和信息通報製度,組織指導有關機構開展網絡安全信息匯總、分析研判和通報工作,按照規定統一發佈網絡安全監測預警信息。
第三十七條國家行業主管或監管部門應當建立健全本行業、本領域的關鍵信息基礎設施網絡安全監測預警和信息通報製度,及時掌握本行業、本領域關鍵信息基礎設施運行狀況和安全風險,向有關運營者通報安全風險和相關工作信息。
國家行業主管或監管部門應當組織對安全監測信息進行研判,認為需要立即採取防範應對措施的,應當及時向有關運營者發布預警信息和應急防範措施建議,並按照國家網絡安全事件應急預案的要求向有關部門報告。
第三十八條 國家網信部門統籌協調有關部門、運營者以及有關研究機構、網絡安全服務機構建立關鍵信息基礎設施網絡安全信息共享機制,促進網絡安全信息共享。
第三十九條國家網信部門按照國家網絡安全事件應急預案的要求,統籌有關部門建立健全關鍵信息基礎設施網絡安全應急協作機制,加強網絡安全應急力量建設,指導協調有關部門組織跨行業、跨地域網絡安全應急演練。
國家行業主管或監管部門應當組織製定本行業、本領域的網絡安全事件應急預案,並定期組織演練,提升網絡安全事件應對和災難恢復能力。發生重大網絡安全事件或接到網信部門的預警信息後,應立即啟動應急預案組織應對,並及時報告有關情況。
第四十條國家行業主管或監管部門應當定期組織對本行業、本領域關鍵信息基礎設施的安全風險以及運營者履行安全保護義務的情況進行抽查檢測,提出改進措施,指導、督促運營者及時整改檢測評估中發現的問題。
國家網信部門統籌協調有關部門開展的抽查檢測工作,避免交叉重複檢測評估。
第四十一條 有關部門組織開展關鍵信息基礎設施安全檢測評估,應堅持客觀公正、高效透明的原則,採取科學的檢測評估方法,規範檢測評估流程,控制檢測評估風險。
運營者應當對有關部門依法實施的檢測評估予以配合,對檢測評估發現的問題及時進行整改。
第四十二條 有關部門組織開展關鍵信息基礎設施安全檢測評估,可採取下列措施:
(一)要求運營者相關人員就檢測評估事項作出說明;
(二)查閱、調取、複製與安全保護有關的文檔、記錄;
(三)查看網絡安全管理制度製訂、落實情況以及網絡安全技術措施規劃、建設、運行情況;
(四)利用檢測工具或委託網絡安全服務機構進行技術檢測;
(五)經運營者同意的其他必要方式。
第四十三條 有關部門以及網絡安全服務機構在關鍵信息基礎設施安全檢測評估中獲取的信息,只能用於維護網絡安全的需要,不得用於其他用途。
第四十四條 有關部門組織開展關鍵信息基礎設施安全檢測評估,不得向被檢測評估單位收取費用,不得要求被檢測評估單位購買指定品牌或者指定生產、銷售單位的產品和服務。

第七章 法律責任
第四十五條運營者不履行本條例第二十條第一款、第二十一條、第二十三條、第二十四條、第二十六條、第二十七條、第二十八條、第三十條、第三十二條、第三十三條、第三十四條規定的網絡安全保護義務的,由有關主管部門依據職責責令改正,給予警告;拒不改正或者導致危害網絡安全等後果的,處十萬元以上一百萬元以下罰款,對直接負責的主管人員處一萬元以上十萬元以下罰款。
第四十六條運營者違反本條例第二十九條規定,在境外存儲網絡數據,或者向境外提供網絡數據的,由國家有關主管部門依據職責責令改正,給予警告,沒收違法所得,處五萬元以上五十萬元以下罰款,並可以責令暫停相關業務、停業整頓、關閉網站、吊銷相關業務許可證;對直接負責的主管人員和其他直接責任人員處一萬元以上十萬元以下罰款。
第四十七條運營者違反本條例第三十一條規定,使用未經安全審查或安全審查未通過的網絡產品或者服務的,由國家有關主管部門依據職責責令停止使用,處採購金額一倍以上十倍以下罰款;對直接負責的主管人員和其他直接責任人員處一萬元以上十萬元以下罰款。
第四十八條個人違反本條例第十六條規定,尚不構成犯罪的,由公安機關沒收違法所得,處五日以下拘留,可以並處五萬元以上五十萬元以下罰款;情節較重的,處五日以上十五日以下拘留,可以並處十萬元以上一百萬元以下罰款;構成犯罪的,依法追究刑事責任。
單位有前款行為的,由公安機關沒收違法所得,處十萬元以上一百萬元以下罰款,並對直接負責的主管人員和其他直接責任人員依照前款規定處罰。
違反本條例第十六條規定,受到刑事處罰的人員,終身不得從事關鍵信息基礎設施安全管理和網絡運營關鍵崗位的工作。
第四十九條 國家機關關鍵信息基礎設施的運營者不履行本條例規定的網絡安全保護義務的,由其上級機關或者有關機關責令改正;對直接負責的主管人員和其他直接負責人員依法給予處分。
第五十條 有關部門及其工作人員有下列行為之一的,對直接負責的主管人員和其他直接責任人員依法給予處分;構成犯罪的,依法追究刑事責任:
(一)在工作中利用職權索取、收受賄賂;
(二)玩忽職守、濫用職權;
(三)擅自洩露關鍵信息基礎設施有關信息、資料及數據文件;
(四)其他違反法定職責的行為。
第五十一條關鍵信息基礎設施發生重大網絡安全事件,經調查確定為責任事故的,除應當查明運營單位責任並依法予以追究外,還應查明相關網絡安全服務機構及有關部門的責任,對有失職、瀆職及其他違法行為的,依法追究責任。
第五十二條境外的機構、組織、個人從事攻擊、侵入、干擾、破壞等危害中華人民共和國的關鍵信息基礎設施的活動,造成嚴重後果的,依法追究法律責任;國務院公安部門、國家安全機關和有關部門並可以決定對該機構、組織、個人採取凍結財產或者其他必要的製裁措施。

第八章 附則
第五十三條 存儲、處理涉及國家秘密信息的關鍵信息基礎設施的安全保護,還應當遵守保密法律、行政法規的規定。
關鍵信息基礎設施中的密碼使用和管理,還應當遵守密碼法律、行政法規的規定。
第五十四條 軍事關鍵信息基礎設施的安全保護,由中央軍事委員會另行規定。
第五十五條 本條例自****年**月**日起施行。

Referring URL:

http://www.cac.gov.cn/2017-07/11/c_1121294220.htm

Leave a Reply

Your email address will not be published. Required fields are marked *