Notice of the State Internet Information Office on the Public Solicitation of Opinions on the Regulations on the Security Protection of Key Information Infrastructure (Draft for Comment)
In order to ensure the security of critical information infrastructure, according to the Cyber Security Law of the People’s Republic of China, our office, together with relevant departments, drafted the Regulations on the Security Protection of Critical Information Infrastructure (Draft for Comment), which is now open to the public for comments. Relevant units and people from all walks of life can put forward their opinions in the following ways before August 10, 2017:
1. Send the comments by letter to the Network Security Coordination Bureau of the National Internet Information Office, No.11 Chegongzhuang Street, Xicheng District, Beijing, with the zip code of 100044, and mark "soliciting opinions" on the envelope.
2. E-mail to: security@cac.gov.cn.
?
Attachment: Regulations on Security Protection of Key Information Infrastructure (Draft for Comment)
?
National Internet Information Office
?July 10, 2017
?
Regulations on Security Protection of Key Information Infrastructure
(Draft for Comment)
?
Chapter I General Provisions
the first In order to ensure the security of key information infrastructure, these Regulations are formulated in accordance with the Cyber Security Law of the People’s Republic of China.
the second These Regulations shall apply to the planning, construction, operation, maintenance and use of key information infrastructure and the security protection of key information infrastructure in People’s Republic of China (PRC).
Article The security protection of key information infrastructure adheres to the principles of top-level design, overall protection, overall coordination and division of responsibilities, and gives full play to the role of the main body of operation, with the active participation of all sectors of society to jointly protect the security of key information infrastructure.
Article 4 In accordance with the division of responsibilities stipulated by the State Council, the national industry supervisor or regulatory department is responsible for guiding and supervising the safety protection of key information infrastructure in this industry and field.
The national network information department is responsible for coordinating the security protection of key information infrastructure and related supervision and management. The State Council public security, national security, national secrecy administration, national password management and other departments are responsible for the relevant network security protection and supervision and management within their respective responsibilities.
The relevant departments of the local people’s governments at or above the county level shall carry out the security protection of key information infrastructure in accordance with the relevant provisions of the state.
Article 5 Operators of key information infrastructure (hereinafter referred to as operators) are mainly responsible for the security of key information infrastructure of their own units, fulfill the obligation of network security protection, accept the supervision of the government and society, and assume social responsibilities.
The state encourages network operators outside the key information infrastructure to voluntarily participate in the key information infrastructure protection system.
Article 6 On the basis of the network security level protection system, key information infrastructure is protected.
Article 7 Any individual or organization has the right to report to the departments of network information, telecommunications, public security, industry directors or regulatory authorities when it finds any behavior that endangers the security of key information infrastructure.
The department that receives the report shall promptly deal with it according to law; If it does not belong to the responsibilities of this department, it shall be transferred to the department that has the right to handle it in time.
The relevant departments shall keep confidential the relevant information of informants and protect their legitimate rights and interests.
?
Chapter II Support and Guarantee
Article 8 The state takes measures to monitor, defend and deal with cyber security risks and threats originating from inside and outside People’s Republic of China (PRC), protect key information infrastructure from attack, intrusion, interference and destruction, and punish illegal and criminal activities on the Internet according to law.
Article 9 The state formulates policies on industry, finance, taxation, finance and talents, supports the innovation of technologies, products and services related to the security of key information infrastructure, promotes safe and credible network products and services, trains and selects network security talents, and improves the security level of key information infrastructure.
Article 10 The state establishes and improves the network security standard system, and uses standards to guide and standardize the security protection of key information infrastructure.
Article 11 The people’s governments at or above the prefecture level shall incorporate the safety protection of key information infrastructure into the overall planning of regional economic and social development, increase investment, and carry out performance evaluation.
Article 12 The state encourages government departments, operators, scientific research institutions, network security service institutions, industry organizations and network products and service providers to carry out security cooperation on key information infrastructure.
Article 13 The national industry supervisor or regulatory department shall establish or specify the institutions and personnel specifically responsible for the security protection of key information infrastructure in this industry and field, compile and organize the implementation of network security planning in this industry and field, establish and improve the working fund guarantee mechanism and supervise the implementation.
Article 14 Energy, telecommunications, transportation and other industries should provide key protection and support in power supply, network communication, transportation and other aspects for the emergency handling of network security incidents of key information infrastructure and the recovery of network functions.
Article 15 Public security organs and other departments investigate and crack down on illegal and criminal activities carried out against and using key information infrastructure according to law.
Article 16 No individual or organization may engage in the following activities and behaviors that endanger critical information infrastructure:
(1) Attacking, invading, interfering with or destroying key information infrastructure;
(2) illegally obtaining, selling or providing others with information such as technical data that may be specially used to endanger the security of key information infrastructure without authorization;
(3) Conducting penetrating and aggressive scanning and detection of key information infrastructure without authorization;
(4) Providing Internet access, server hosting, network storage, communication transmission, advertising promotion, payment and settlement, etc. to others knowing that they are engaged in activities that endanger the security of key information infrastructure;
(five) other activities and behaviors that endanger key information infrastructure.
Article 17 The state maintains network security based on an open environment and actively carries out international exchanges and cooperation in the field of key information infrastructure security.
?
Chapter III Scope of Key Information Infrastructure
Article 18 Once the network facilities and information systems operated and managed by the following units are damaged, lose their functions or have data leaked, which may seriously endanger national security, the national economy and people’s livelihood and public interests, they shall be included in the protection scope of key information infrastructure:
(a) government agencies and units in energy, finance, transportation, water conservancy, health care, education, social security, environmental protection, public utilities and other industries;
(2) Information networks such as telecommunication networks, radio and television networks and the Internet, and units that provide cloud computing, big data and other large-scale public information network services;
(three) scientific research and production units in the fields of national defense science and technology, large-scale equipment, chemical industry, food and medicine;
(4) news organizations such as radio stations, television stations and news agencies;
(5) Other key units.
Article 19 The national network information department shall, jointly with the telecommunications authorities of the State Council and the public security departments, formulate guidelines for the identification of key information infrastructure.
The national industry director or regulatory department shall, in accordance with the guidelines for the identification of key information infrastructures, organize the identification of key information infrastructures in the industry and field, and submit the identification results according to procedures.
In the process of key information infrastructure identification, we should give full play to the role of relevant experts to improve the accuracy, rationality and scientificity of key information infrastructure identification.
Article 20 If the key information infrastructure is newly built or shut down, or there is a major change in the key information infrastructure, the operator shall promptly report the relevant situation to the national industry supervisor or regulatory department.
The national industry supervisor or regulatory department shall make timely identification and adjustment according to the situation reported by the operator, and submit the adjustment according to the procedure.
?
Chapter IV Safety Protection of Operators
Article 21 The construction of key information infrastructure should ensure that it has the performance of supporting the stable and continuous operation of business, and ensure the synchronous planning, simultaneous construction and simultaneous use of safety technical measures.
Article 22 The main person in charge of the operator is the first person in charge of the security protection of the key information infrastructure of the unit, responsible for establishing and improving the network security responsibility system and organizing its implementation, and fully responsible for the security protection of the key information infrastructure of the unit.
Article 23 Operators shall, in accordance with the requirements of the network security level protection system, perform the following security protection obligations, protect key information infrastructure from interference, destruction or unauthorized access, and prevent network data from leaking or being stolen or tampered with:
(a) to formulate internal safety management systems and operating procedures, and strictly enforce identity authentication and authority management;
(two) to take technical measures to prevent computer viruses and network attacks, network intrusion and other acts that endanger network security;
(3) Take technical measures to monitor and record the network operation status and network security incidents, and keep relevant network logs for not less than six months according to regulations;
(four) take measures such as data classification, important data backup and encryption authentication.
Article 24 In addition to Article 23 of these regulations, operators shall also perform the following safety protection obligations in accordance with the provisions of national laws and regulations and the mandatory requirements of relevant national standards:
(a) set up a special network security management organization and a person in charge of network security management, and conduct security background review on the person in charge and key positions;
(2) Conducting cyber security education, technical training and skill assessment for employees on a regular basis;
(three) to make disaster-tolerant backups of important systems and databases, and take remedial measures for security risks such as system loopholes in time;
(four) to formulate emergency plans for network security incidents and conduct regular drills;
(5) Other obligations stipulated by laws and administrative regulations.
Article 25 The person in charge of network security management of the operator shall perform the following duties:
(a) to organize the formulation of network security rules and regulations, operating procedures and supervise the implementation;
(2) Organizing the skill assessment of personnel in key positions;
(three) to organize the formulation and implementation of the network security education and training plan of the unit;
(4) Organizing network security inspections and emergency drills to deal with and handle network security incidents;
(five) according to the provisions of the relevant state departments to report the important issues and events of network security.
Article 26 Professional and technical personnel in key positions of network security of operators shall implement the system of holding certificates.
The specific regulations for holding a certificate shall be formulated by the human resources and social security department of the State Council in conjunction with the national network information department and other departments.
Article 27 Operators shall organize network security education and training for employees, and the duration of education and training shall not be less than 1 working day per person per year, and the duration of education and training for professional and technical personnel in key positions shall not be less than 3 working days per person per year.
Article 28 Operators should establish and improve the safety inspection and evaluation system of key information infrastructure, and conduct safety inspection and evaluation before the key information infrastructure is put into operation or when there are major changes.
Operators shall, by themselves or by entrusting network security service agencies, conduct at least one inspection and evaluation on the security of key information infrastructure and possible potential risks every year, make timely rectification on the problems found, and report the relevant information to the national industry supervisor or regulatory department.
Article 29 Personal information and important data collected and generated by operators in People’s Republic of China (PRC) shall be stored in China. If it is really necessary to provide it overseas due to business needs, it shall be assessed in accordance with the exit safety assessment method for personal information and important data; Where laws and administrative regulations provide otherwise, such provisions shall prevail.
?
Chapter V Safety of Products and Services
Article 30 The key network equipment and special products for network security purchased and used by operators shall comply with the provisions of laws and administrative regulations and the mandatory requirements of relevant national standards.
Article 31 Operators purchasing network products and services, which may affect national security, shall pass the network security review in accordance with the requirements of the network products and services security review measures, and sign a security confidentiality agreement with the provider.
Article 32 Operators shall conduct safety inspection on outsourced systems, software and donated network products before they go online for application.
Article 33 Operators found that the use of network products, services, such as security defects, loopholes and other risks, should take timely measures to eliminate potential risks, involving major risks should be reported to the relevant departments in accordance with the provisions.
Article 34 The operation and maintenance of key information infrastructure should be implemented within the territory. If it is really necessary to carry out overseas remote maintenance due to business needs, it shall be reported to the national industry supervisor or regulatory department and the public security department of the State Council in advance.
Article 35 Institutions that conduct security detection and assessment for key information infrastructure, release information on security threats such as system vulnerabilities, computer viruses and network attacks, and provide services such as cloud computing and information technology outsourcing shall meet the relevant requirements.
The specific requirements shall be formulated by the national network information department in conjunction with the relevant departments of the State Council.
?
Chapter VI Monitoring and Early Warning, Emergency Disposal and Detection and Evaluation
Article 36 The national network information department will co-ordinate the establishment of a network security monitoring and early warning system and information notification system for key information infrastructure, organize and guide relevant institutions to carry out network security information summary, analysis, judgment and notification, and uniformly release network security monitoring and early warning information in accordance with regulations.
Article 37 The national industry supervisor or regulatory department shall establish and improve the network security monitoring, early warning and information notification system for key information infrastructure in this industry and field, keep abreast of the operation status and security risks of key information infrastructure in this industry and field, and inform relevant operators of security risks and related work information.
The national industry director or regulatory department shall organize the research and judgment of safety monitoring information, and if it deems it necessary to take immediate preventive measures, it shall timely release early warning information and emergency preventive measures and suggestions to the relevant operators, and report to the relevant departments in accordance with the requirements of the national emergency plan for cyber security incidents.
Article 38 The national network information department coordinates relevant departments, operators, relevant research institutions and network security service institutions to establish a network security information sharing mechanism for key information infrastructure to promote network security information sharing.
Article 39 The national network information department shall, in accordance with the requirements of the national network security emergency plan, coordinate relevant departments to establish and improve the network security emergency cooperation mechanism for key information infrastructure, strengthen the construction of network security emergency forces, and guide and coordinate relevant departments to organize cross-industry and cross-regional network security emergency drills.
The national industry supervisor or regulatory department shall organize the formulation of emergency plans for cyber security incidents in its own industry and field, and organize regular drills to enhance its ability to respond to cyber security incidents and recover from disasters. After the occurrence of major network security incidents or receiving early warning information from the network information department, the emergency plan should be immediately launched to organize the response, and the relevant situation should be reported in time.
Article 40 The national industry director or regulatory department shall regularly organize spot checks on the security risks of key information infrastructure in this industry and field and the performance of operators’ security protection obligations, put forward improvement measures, and guide and urge operators to rectify the problems found in the detection and evaluation in a timely manner.
The national network information department co-ordinates the spot check and testing work carried out by relevant departments to avoid cross-examination and evaluation.
Article 41 Relevant departments should adhere to the principles of objectivity, fairness, efficiency and transparency, adopt scientific testing and evaluation methods, standardize testing and evaluation processes, and control testing and evaluation risks.
The operator shall cooperate with the inspection and evaluation carried out by the relevant departments according to law, and timely rectify the problems found in the inspection and evaluation.
Article 42 The relevant departments shall organize the safety inspection and evaluation of key information infrastructure, and may take the following measures:
(a) require the relevant personnel of the operator to explain the testing and evaluation matters;
(2) Consulting, retrieving and copying documents and records related to security protection;
(three) to check the formulation and implementation of network security management system and the planning, construction and operation of network security technical measures;
(four) the use of testing tools or entrust network security service agencies to carry out technical testing;
(five) other necessary means with the consent of the operator.
Article 43 The information obtained by relevant departments and network security service institutions in the security detection and evaluation of key information infrastructure can only be used for the needs of maintaining network security and shall not be used for other purposes.
Article 44 The relevant departments shall organize the safety inspection and evaluation of key information infrastructure, and shall not charge the inspected and evaluated units, and shall not require the inspected and evaluated units to purchase the products and services of designated brands or designated production and sales units.
?
Chapter VII Legal Liability
Article 45 If the operator fails to perform the network security protection obligations stipulated in the first paragraph of Article 20, Article 21, Article 23, Article 24, Article 26, Article 27, Article 28, Article 30, Article 32, Article 33 and Article 34 of these Regulations, the relevant competent department shall order it to make corrections according to its duties and give it a warning; Those who refuse to correct or lead to the consequences of endangering network security shall be fined not less than 100,000 yuan but not more than 1 million yuan, and those directly in charge shall be fined not less than 10,000 yuan but not more than 100,000 yuan.
Article 46 Operators who, in violation of the provisions of Article 29 of these regulations, store network data overseas or provide network data overseas, shall be ordered by the relevant competent departments of the state to make corrections according to their duties, given a warning, confiscate their illegal income, and be fined not less than 50,000 yuan but not more than 500,000 yuan, and may be ordered to suspend related businesses, suspend business for rectification, close websites and revoke related business licenses; The directly responsible person in charge and other directly responsible personnel shall be fined between 10,000 yuan and 100,000 yuan.
Article 47 In violation of the provisions of Article 31 of these regulations, operators use network products or services that have not passed the security review or security review, and the relevant competent departments of the state shall order them to stop using them according to their duties, and impose a fine of more than one time and less than ten times the purchase amount; The directly responsible person in charge and other directly responsible personnel shall be fined between 10,000 yuan and 100,000 yuan.
Article 48 Individuals who violate the provisions of Article 16 of these regulations and do not constitute a crime shall be confiscated by the public security organs, detained for less than five days, and may be fined not less than 50,000 yuan but not more than 500,000 yuan; If the circumstances are serious, they shall be detained for more than five days and less than fifteen days, and may be fined not less than one hundred thousand yuan but not more than one million yuan; If a crime is constituted, criminal responsibility shall be investigated according to law.
If a unit commits the acts mentioned in the preceding paragraph, the illegal income shall be confiscated by the public security organ, and a fine of not less than 100,000 yuan but not more than 1 million yuan shall be imposed, and the directly responsible person in charge and other directly responsible personnel shall be punished in accordance with the provisions of the preceding paragraph.
In violation of the provisions of article sixteenth of this Ordinance, the person who is subject to criminal punishment shall not engage in the work of key information infrastructure security management and network operation key positions for life.
Article 49 Operators of key information infrastructure of state organs fail to fulfill the obligations of network security protection stipulated in these regulations, and shall be ordered by their higher authorities or relevant authorities to make corrections; The directly responsible person in charge and other directly responsible personnel shall be punished according to law.
Article 50 The relevant departments and their staff have one of the following acts, and the directly responsible person in charge and other directly responsible personnel shall be punished according to law; If the case constitutes a crime, criminal responsibility shall be investigated according to law:
(1) Soliciting and accepting bribes by taking advantage of one’s authority at work;
(two) dereliction of duty, abuse of power;
(three) unauthorized disclosure of key information infrastructure related information, data and data files;
(four) other acts in violation of statutory duties.
????Article 51 If a major network security incident occurs in the key information infrastructure, which is determined as a liability accident after investigation, the responsibility of the operating unit should be ascertained and investigated according to law, and the responsibility of the relevant network security service institutions and relevant departments should also be ascertained. Those who have dereliction of duty, dereliction of duty and other illegal acts should be investigated according to law.
Article 52 Overseas institutions, organizations and individuals engaged in attacks, intrusions, interference, destruction and other activities that endanger People’s Republic of China (PRC)’s key information infrastructure, resulting in serious consequences, shall be investigated for legal responsibility according to law; The public security departments, state security organs and relevant departments of the State Council may also decide to freeze assets or take other necessary sanctions against the institution, organization or individual.
?
Chapter VIII Supplementary Provisions
Article 53 The security protection of key information infrastructure for storing and processing state secret information shall also comply with the provisions of confidentiality laws and administrative regulations.
The use and management of passwords in key information infrastructure shall also comply with the provisions of password laws and administrative regulations.
????Article 54 The security protection of military key information infrastructure shall be stipulated separately by the Central Military Commission (CMC).
Article 55 These Regulations shall come into force as of * * * * on * * year.
关于作者