Communication network security protection management method

Communication network security protection management method

Ministry of Industry and Information Technology of the People's Republic of China Order No. 11

The "Measures for the Management of Communication Network Security Protection" was approved by the 8th Ministerial Meeting of the Ministry of Industry and Information Technology of the People's Republic of China on December 29, 2009 and is hereby promulgated. It will come into effect on March 1, 2010.
Minister Li Yizhong January 21, 2010

Communication network security protection management method

Article 1 These Measures are formulated in accordance with the "PRC Telecommunications Regulations" in order to strengthen the management of communication network security, improve the security protection capabilities of communication networks and ensure the safe and unblocked communication networks.

Article 2 Network Security Protection of Public Communication Networks and the Internet (hereinafter referred to as "communication networks") that are operated and operated by telecommunication service providers and Internet domain name service providers (hereinafter collectively referred to as "communication network operation units") within the territory of the People's Republic of China. This method applies.

The Internet domain name service referred to in these Measures refers to the act of setting up a domain name database or a domain name resolution server to provide domain name holders with domain name registration or authoritative analysis services.

The term "network security protection" as mentioned in these Measures refers to the work carried out to prevent the communication network from being blocked, interrupted, flawed or illegally controlled, and to prevent the loss, leakage or falsification of data information transmitted, stored or processed in the communications network.

Article 3 The work of communication network security protection adheres to the principles of active defense, comprehensive prevention, and hierarchical protection.

Article 4 The Ministry of Industry and Information Technology of the People's Republic of China (hereinafter referred to as the Ministry of Industry and Information Technology) shall be responsible for the unified guidance, coordination, and inspection of the national communications network security protection work, and shall establish and improve a security protection system for communication networks and formulate relevant standards for the communications industry.

The communications administrations of the provinces, autonomous regions, and municipalities directly under the Central Government (hereinafter referred to as the Communications Authority) shall guide, coordinate, and inspect the security protection of communications networks in their respective administrative regions in accordance with the provisions of these Measures.

The Ministry of Industry and Information Technology and the Communications Administration are collectively referred to as the "telecommunication management agency."

Article 5 A communication network operation unit shall carry out security protection of communication networks in accordance with the regulations of the telecommunication management agencies and the standards of the communications industry, and shall be responsible for the security of the communication network of the organization.

Article 6 Communications network operation units shall establish communications network security facilities synchronously with newly constructed, rebuilt or expanded communications network engineering projects, and shall carry out acceptance and put into operation with the main project at the same time.

The expenses for the construction, reconstruction, and expansion of communication network security protection facilities shall be included in the budget estimates for the construction projects of the unit.

Article 7 The communication network operation unit shall divide the unit of the communication network that has been officially put into operation and according to the degree of harm to the national security, economic operation, social order and public interest after the destruction of the communication network unit, The highs are divided into first, second, third, fourth, and fifth grades.

Telecommunications management agencies should organize experts to review the classification of communication network units.

The communication network operating unit shall timely adjust the division and level of the communication network unit according to the actual situation, and conduct the review according to the provisions of the preceding paragraph.

Article 8 The communication network operating entity shall, within 30 days after the assessment of the classification and approval of the communication network, record the division and rating of the communication network unit according to the following provisions to the telecommunications administration organization:

(1) Basic telecommunication service provider group companies apply to the Ministry of Industry and Information Technology for the filing of their directly managed communication network units; Basic telecommunication service providers' subsidiaries (subsidiaries and branches) of all provinces (autonomous regions, municipalities directly under the central government) apply to the local communication authority Handle the registration of the communications network unit that it is responsible for managing;

(2) The operators of value-added telecommunications services shall register with the telecommunications regulatory agency that has made the telecommunication business license decision;

(3) Internet domain name service providers filed with the Ministry of Industry and Information Technology.

Article 9: The communications network operating unit shall submit the following information for the filing of the communications network unit:

(i) Names, levels and main functions of communication network units;

(2) The name and contact information of the responsible unit of the communication network unit;

(3) The name and contact information of the chief person in charge of the communication network unit;

(4) Topological architecture, network boundaries, major hardware and software, models and key facility locations of communication network units;

(5) Other information concerning the security of communications networks required by the telecommunication administration agency.

Where there is any change in the information for registration provided in the preceding paragraph, the operating unit of the communications network shall, within 30 days from the date of the change of information, change the record to the telecommunications regulatory agency.

The information reported by the operating unit of the communications network shall be true and complete.

Article 10 The telecommunications administration agency shall verify the authenticity and completeness of the filing information. If it is found that the filing information is not true or complete, it shall notify the filing unit to make corrections.

Article 11 The communication network operating entity shall implement the security protection measures appropriate to the level of the communication network unit, and conduct conformity evaluation according to the following provisions:

(i) The level 3 and above communications network units should conduct a conformity evaluation once a year;

(b) The secondary communications network unit shall conduct a conformity assessment every two years.

In the case of the division and level adjustment of the communication network unit, the conformity evaluation shall be conducted again within 90 days from the date of completion of the adjustment.

The communication network operation unit shall submit the results of the evaluation of the compliance of the communication network unit, the rectification situation or the rectification plan to the filing organization of the communication network unit within 30 days after the completion of the evaluation.

Article 12 The communication network operation entity shall organize the security network risk assessment for the communication network unit in accordance with the following provisions to eliminate major network security risks in a timely manner:

(1) The third-level and third-level communications network units should conduct security risk assessment once a year;

(b) The secondary communications network unit shall conduct a security risk assessment every two years.

Before the major national events are held, the communication network unit shall carry out security risk assessment according to the requirements of the telecommunication management agency.

The communication network operating unit shall submit the results of the security risk assessment, the treatment of hidden dangers or the treatment plan to the filing organization of the communication network unit within 30 days after the security risk assessment is completed.

Article 13 The communication network operating unit shall back up the important lines, equipment, systems and data of the communication network unit.

Article 14 Communications network operating units shall organize drills to verify the effectiveness of security measures for communications networks.

The communications network operating unit shall participate in the drill organized by the telecommunications management organization.

Article 15 A communications network operating entity shall establish and operate a communications network security monitoring system to monitor the security status of its own communications network.

Article 16 A communication network operation unit may entrust a professional institution to carry out evaluation, assessment, and monitoring of communication network security.

The Ministry of Industry and Information Technology shall, in accordance with the needs of the security protection work of the communications network, strengthen the guidance on the ability of the trustee's safety evaluation, assessment and monitoring as prescribed in the preceding paragraph.

Article 17 The telecommunications management agency shall inspect the operation of the communication network operation unit for the protection of communication network security.

Telecommunication regulatory agencies may take the following inspection measures:

(1) Check the compliance assessment report and risk assessment report of the operating unit of the communications network;

(2) access to documents and work records related to cyber security protection in the operating units of communications networks;

(3) Ask the staff of the communications network operation unit to learn about the situation;

(4) Checking the relevant facilities of the operating unit of the communications network;

(v) Technical analysis and testing of communications networks;

(6) Other inspection measures prescribed by laws and administrative regulations.

Article 18 Telecommunications regulatory agencies may entrust professional agencies to carry out security inspections of communications networks.

Article 19 A communication network operation unit shall cooperate with the telecommunication management institution and the specialized institutions entrusted by it to carry out inspection activities. The major network security risks discovered during the inspection shall be rectified in a timely manner.

Article 20 The telecommunications regulatory agencies shall inspect the security protection of the communications network and shall not affect the normal operation of the communications network. They shall not charge any fees and may not require the entity under inspection to purchase the security software, equipment or other products of the designated brand or designated unit.

Article 21: The staff of the telecommunication administration agencies and the professional institutions entrusted by them shall have the obligation to keep confidential the state secrets, trade secrets and personal privacy they have learned during the inspection.

Article 22 Violations of Article 6 Paragraph 1 of the Measures, Paragraphs 1 and 3 of Article 7, Article 8, Article 9, Article 11, Article 12, Article 13 and Article Article 14, articles 15 and 19 shall be rectified by telecommunications management agencies according to their duties and powers; if they refuse to make corrections, they shall be given a warning and shall be fined between 5,000 and 30,000 yuan.

Article 23 If the staff of a telecommunications administration institution violates the provisions of Articles 20 and 21 of these Measures, it shall be given an administrative sanction in accordance with the law; if it constitutes a crime, criminal responsibility shall be investigated according to law.

Article 24 These Measures shall come into force on March 1, 2010.