State security organs, secrecy administrative departments, password administrative departments, information administrative departments and other relevant departments shall, within the scope of their respective duties, be responsible for the related work of computer information system security protection according to law. Article 4 Units operating and using computer information systems shall fulfill their obligations of security protection of computer information systems according to law.
No organization or individual may use computer information systems to engage in activities that endanger national interests, social interests and the legitimate rights and interests of citizens, legal persons and other organizations, and may not endanger the security of computer information systems. Chapter II Security Level Protection Article 5 Computer information systems shall implement a security level protection system.
Computer information system security level protection adheres to the principle of independent classification and independent protection, and the operating and using units independently classify according to the following standards:
(a) the computer information system is damaged, which may damage the legitimate rights and interests of citizens, legal persons and other organizations, but does not endanger national security, social order and public interests, which is the first level;
(2) If the computer information system is destroyed, it may cause serious damage to the legitimate rights and interests of citizens, legal persons and other organizations, or damage to social order and public interests, but it does not endanger national security, it is the second level;
(three) after the computer information system is destroyed, it may cause serious damage to social order and public interests, or damage to national security, which is the third level;
(four) after the computer information system is destroyed, it may cause particularly serious damage to social order and public interests, or cause serious damage to national security, which is the fourth level;
(five) after the computer information system is destroyed, it may cause particularly serious damage to national security, which is the fifth level. Article 6 Where a computer information system involves information about national security, social public interests and major economic construction, the operating unit or the competent department shall select a security level assessment institution that meets the statutory requirements to conduct a security level assessment of the computer information system and accurately verify the security protection level of the information system. Article 7 Units operating and using computer information systems shall abide by the following provisions:
(a) according to the management norms and technical standards of hierarchical protection, the computer information system is classified and protected;
(two) the new computer information system, determine the level of security protection in the planning and design stage, and simultaneously build information security protection facilities that meet the requirements of security protection level, and implement security protection measures;
(three) in accordance with the requirements of the computer information system security protection level, the use of information security special technology products that have obtained the national sales license;
(four) regularly check and rectify the safety status, protection system and measures of the computer information system of the unit;
(five) the computer information system is determined to be above the second level of protection, and the emergency plan for major emergencies is formulated; If it is determined to be above level 3, the system security level shall be evaluated at least once a year;
(six) to designate full-time personnel to be responsible for the safety management of the computer information system of the unit. Full-time staff should pass the professional training of public security organs, human resources and social security departments at or above the municipal level, and obtain certificates. Article 8 Units operating and using computer information systems above Grade II shall, within 30 days from the date of determining the security level, submit specific measures for information system protection to the local public security organs at or above the municipal level. Computer information systems that belong to the unified networking of cities or autonomous regions across districts shall also be reported to the public security organs of the autonomous region for the record.
If the structure, processing flow and service content of the computer information system change, resulting in a change in the level of security protection, or the public security organ requires a new classification due to actual needs, the operating and using units of the computer information system shall re-classify and re-record. Article 9 The public security organ shall, within 15 working days from the date of receiving the archival filing materials, examine the materials submitted for archival filing, and issue archival filing certificates to those who meet the requirements of grade protection; If the classification is inaccurate or the protective measures do not meet the technical specifications, it shall notify the submitting unit in writing to make corrections within 15 working days from the date of receiving the filing materials. Article 10 Units operating and using computer information systems shall implement the following safety technical protection measures:
(1) Redundancy or backup of important database and main equipment of the system;
(2) Prevention and control of computer virus;
(3) Preventing and tracking network attacks;
(4) Monitoring and recording of network security incidents;
(5) Identity registration and identity confirmation;
(6) Records of user accounts and network addresses;
(seven) safety audit and early warning;
(eight) keep the system operation and user log records;
(9) Control of massive information;
(ten) the prevention and control of harmful information and junk information;
(eleven) other technical protection measures stipulated by laws and regulations.
Encourage operators and users of computer information systems to adopt advanced security protection technical measures.