Public Internet Network Security Incident Emergency Response Plan

ALL TRANSLATIONS ON THIS SITE ARE UNOFFICIAL AND ARE PROVIDED FOR REFERENCE PURPOSES ONLY. THESE TRANSLATIONS ARE CREATED AND CONTINUOUSLY UPDATED BY USERS --THEY ARE FREE TO VIEW, BUT PROPER ATTRIBUTION IS REQUIRED FOR DISTRIBUTION OF THESE OR DERIVATIVE TRANSLATIONS.
Title: 工业和信息化部关于印发《公共互联网网络安全突发事件应急预案》的通知
Promulgating Entities:Ministry of Industry and Information Technology
Reference number: 工信部网安[2017]281号
Promulgation Date: 2017-11-14
Expiration date: 
Source of text: http://xxgk.miit.gov.cn/gdnps/wjfbContent.jsp?id=5925919

工信部网安[2017]281号

各省、自治区、直辖市通信管理局,中国电信集团公司、中国移动通信集团公司、中国联合网络通信集团有限公司,国家计算机网络应急技术处理协调中心、中国信息通信研究院、中国软件评测中心、国家工业信息安全发展研究中心,域名注册管理和服务机构、互联网企业、网络安全企业:

为进一步健全公共互联网网络安全突发事件应急机制,提升应对能力,根据《中华人民共和国网络安全法》《国家网络安全事件应急预案》等,制定《公共互联网网络安全突发事件应急预案》。 现印发给你们,请结合实际,切实抓好贯彻落实。

Ministry of Industry and Information Technology

2017/11/14

1.General Provisions
1.1 Purpose
1.2 Drafting Basis
1.3 Scope of Application
1.4 Work Principles

4. Monitoring and Early Warning
4.1 Incident Monitoring
4.2 Early Warning Monitoring
4.3 Warning Levels
4.4 Publication of Warnings
4.5 Response to warnings
4.6 Lifting Warnings

7.Prevention and Response Preparation
7.1 Prevention and Protection
7.2 Emergency Response Drills
7.3 Publicity and Training
7.4 Tactics Construction
7.5 Tools and Components

2. Organization System
2.1 Leadership bodies and duties
2.2 Working bodies and duties
2.3 Duties of other relevant units

5. Response and Disposition
5.1 Classified responses
5.2 Initial Disposition
5.3 initiating Responses
5.4 Situation Tracking
5.5 Deployment Decisions
5.6 Concluding Response

8. Safeguard Measures
8.1 Implementation Responsibility
8.2 Funding Safeguards
8.3 Team Construction
8.4 Social Forces
8.5 International Cooperation

3. Incident Levels
3.1 Especially Major Incidents
3.2 Major Incidents
3.3 Larger Incidents
3.4 Normal Incidents

6. Post-incident briefing
6.1 Investigation and Assessment
6.2 Awards, Punishments, and Accountability

9. Supplementary Provisions
9.1 Plan Management
9.2 Early Warning Interpretation
9.3 Time for Implementation of the Plan

1.General Provisions

1.1 Purpose

建立健全公共互联网网络安全突发事件应急组织体系和工作机制,提高公共互联网网络安全突发事件综合应对能力,确保及时有效地控制、减轻和消除公共互联网网络安全突发事件造成的社会危害和损失,保证公共互联网持续稳定运行和数据安全,维护国家网络空间安全,保障经济运行和社会秩序。

1.2 Drafting Basis

The "PRC Emergency Response Law", "PRC Cybersecurity Law", "The PRC Telecommunications Regulations", and other such laws and regulations, and Provisions such as the "National Public Emergency Incident Response Plan" and the "National Cybersecurity Incident Response Plan.

1.3 Scope of Application

This plan applies to responses to network security incidents by basic telecommunications service enterprises, domain name registration and management service bodies (hereinafter referred to as 'domain name bodies'), Internet companies (including industrial internet platform enterprise) .

"Network security incidents", as used in this Plan refers to incidents that are occur suddenly, are caused by network attacks, network intrusions, malicious programs, and so forth, that cause or might cause serious social harm or impact, and which need telecommunication administration organizations to take emergency measures to deal with network outages (congestion), system failures (irregularities), data leakage (loss), or spreading viruses.

"Competent departments for telecommunications" as used in this Plan, including the Ministry of Industry and Information Technology and each province's (autonomous region's or municipality's) Bureau of Communications Administration.

Where the Ministry of Industry and Information Technology has separate provisions on responding to network security incidents during major national activities, follow those provisions.

1.4 Work Principles

Public Internet network security emergency response efforts are to persist in unified leadership and graded responsibility; persist in unified command, close coordination, rapid response, and scientific disposition; persist in putting prevention first and combining prevention and emergency response; implement entity responsibility for basic telecom companies, domain name bodies, and Internet service providers; and give full play to the role of all forces such network security professional bodies, enterprises, experts and scholars.

2. Organization System

2.1 Leadership bodies and duties

Under the overall coordination of the Central internet Information Office, the Ministry of Industry and Information Technology Leading Group on Network security and Informatization (hereinafter referred to as the "Ministry Leading Group") uniformly leads public Internet network security emergency response management work, and is responsible for the uniform command and coordination of particularly serious public Internet network security incident responses.

2.2 Working bodies and duties

Under the overall coordination of the National Network Security Emergency Response Office established under the Central Internet Information Office, and under the unified leadership of the Ministry Leading Group, the Ministry of of Industry and Information Technology's Network Security Emergency Response Office (hereinafter referred to as the 'Ministry Emergency Response Office') is responsible for management matters in public Internet network security emergency management work; promptly reporting emergency response situations to the Ministry Leading Group, making recommendations for responses to especially significant network security incident response recommendations; is responsible for unified command and coordination of major network security incidents; and as needed, coordinates larger, general network security incidents responses.

The specific work of the Ministry Emergency Response Office is to be undertaken by the Ministry of Industry and Information Technology Bureau of Network Security Management, with units's specified responsible personnel and liaisons participating in emergency response work.

2.3 Duties of other relevant units

The Bureau of Communications Administration in each province (autonomous region or municipality) is responsible for organizing, commanding, and coordinating the relevant units of that administrative area in carrying out public internet network security incident prevention, monitoring, reporting and emergency response work.

Basic telecommunications enterprises, domain name bodies, and Internet companies are responsible for that unit's network security incident prevention, monitoring, reporting and emergency response work, providing technical support to other network security emergency response units.

The National Computer Network Emergency Response Technical Coordination Center, Chinese Information and Telecommunications Research Institute, China Software Testing Center, the National Industry Information Security Development Research Center (hereinafter referred to as Network Security Professional Bodies) are responsible for monitoring and reporting information on public Internet network security incidents and early warnings, to provide decision-making support and technical support for the emergency response work.

Network security enterprises are encouraged to participate in the public Internet network security emergency response work.

3. Incident Levels

According to the scope and degree of the threat to society, public Internet network security incidents are divided into four levels: especially major incidents, major incidents, larger incidents, and ordinary incidents.

3.1 Especially Major Incidents

Where any of the following are met, it is an especially major network security incident:

(1) a large number of Internet users across the country cannot go online normally;

(2) The .CN country code top level Domain [ccTLD] has a significant drop in resolution;

(3) more than 100 million Internet user information is disclosed;

(4) a network virus outbreak in a large area of ​​the country;

(5) other network security incidents that cause or might cause especially large harms or impacts

3.2 Major Incidents

Where any of the following are met, it is an major network security incident:

(1) a large number of Internet users in a multiple provinces cannot go online normally;

(2) There are serious irregularities in visiting website or platforms that are influential at a national level;

(3) Serious abnormalities occur in large scale Domain Name Resolution Systems;

(4) more than 10 million Internet users' information is disclosed;

(5) There is a network virus outbreak in various provinces;

(6) other network security incidents that cause or might cause major harm or impact.

3.3 Larger Incidents

Where any of the following are met, it is a Larger Network Security incident:

(1) a large number of Internet users in one province cannot go online normally;

(2) There are serious irregularities in visiting website or platforms that are influential within a province;

(3) more than 1 million Internet users' information is disclosed;

(5) There is a network virus outbreak over a large area in a province;

(5) other network security incidents that cause or might cause larger harm or impact.

3.4 Normal Incidents

Where any of the following are met, it is a Normal Network Security incident:

(1) a large number of Internet users in one city cannot go online normally;

(2) more than 10 million Internet users' information is disclosed;

(3) other network security incidents that cause or might cause normal harm or impact.

4. Monitoring and Early Warning

4.1 Incident Monitoring

基础电信企业、域名机构、互联网企业应当对本单位网络和系统的运行状况进行密切监测,一旦发生本预案规定的网络安全突发事件,应当立即通过电话等方式向部应急办和相关省(自治区、直辖市)通信管理局报告,不得迟报、谎报、瞒报、漏报。

网络安全专业机构、网络安全企业应当通过多种途径监测、收集已经发生的公共互联网网络安全突发事件信息,并及时向部应急办和相关省(自治区、直辖市)通信管理局报告。

报告突发事件信息时,应当说明事件发生时间、初步判定的影响范围和危害、已采取的应急处置措施和有关建议。

4.2 Early Warning Monitoring

基础电信企业、域名机构、互联网企业、网络安全专业机构、网络安全企业应当通过多种途径监测、收集漏洞、病毒、网络攻击最新动向等网络安全隐患和预警信息,对发生突发事件的可能性及其可能造成的影响进行分析评估;认为可能发生特别重大或重大突发事件的,应当立即向部应急办报告;认为可能发生较大或一般突发事件的,应当立即向相关省(自治区、直辖市)通信管理局报告。

4.3 Warning Levels

建立公共互联网网络突发事件预警制度,按照紧急程度、发展态势和可能造成的危害程度,公共互联网网络突发事件预警等级分为四级:由高到低依次用红色、橙色、黄色和蓝色标示,分别对应可能发生特别重大、重大、较大和一般网络安全突发事件。

4.4 Publication of Warnings

部应急办和各省(自治区、直辖市)通信管理局应当及时汇总分析突发事件隐患和预警信息,必要时组织相关单位、专业技术人员、专家学者进行会商研判。

认为需要发布红色预警的,由部应急办报国家网络安全应急办公室统一发布(或转发国家网络安全应急办公室发布的红色预警),并报部领导小组;认为需要发布橙色预警的,由部应急办统一发布,并报国家网络安全应急办公室和部领导小组;认为需要发布黄色、蓝色预警的,相关省(自治区、直辖市)通信管理局可在本行政区域内发布,并报部应急办,同时通报地方相关部门。 对达不到预警级别但又需要发布警示信息的,部应急办和各省(自治区、直辖市)通信管理局可以发布风险提示信息。

发布预警信息时,应当包括预警级别、起始时间、可能的影响范围和造成的危害、应采取的防范措施、时限要求和发布机关等,并公布咨询电话。 面向社会发布预警信息可通过网站、短信、微信等多种形式。

4.5 Response to warnings

4.5.1 Yellow and Blue Alert Responses

发布黄色、蓝色预警后,相关省(自治区、直辖市)通信管理局应当针对即将发生的网络安全突发事件的特点和可能造成的危害,采取下列措施:

(1)要求有关单位、机构和人员及时收集、报告有关信息,加强网络安全风险的监测;

(2)组织有关单位、机构和人员加强事态跟踪分析评估,密切关注事态发展,重要情况报部应急办;

(3)及时宣传避免、减轻危害的措施,公布咨询电话,并对相关信息的报道工作进行正确引导。

4.5.2 Red and orange alert responses

发布红色、橙色预警后,部应急办除采取黄色、蓝色预警响应措施外,还应当针对即将发生的网络安全突发事件的特点和可能造成的危害,采取下列措施:

(1) Require relevant units to implement 24 hour shifts, with relevant personnel maintaining unimpeded communication access;

(2) organize, research, and formulate precautionary measures and emergency work plans, coordinate and dispatch all resources, do a good job of all preparatory work, and report important situations to the leading small group;

(3) organize the relevant units to strengthen the network security protections for important networks and systems;

(4) require related to network security professional bodies and network security enterprises to go into standby status, develop response plans directed at the early warning information, check the emergency equipment, software tools, and so forth to ensure their good condition.

4.6 Lifting Warnings

部应急办和省(自治区、直辖市)通信管理局发布预警后,应当根据事态发展,适时调整预警级别并按照权限重新发布;经研判不可能发生突发事件或风险已经解除的,应当及时宣布解除预警,并解除已经采取的有关措施。 相关省(自治区、直辖市)通信管理局解除黄色、蓝色预警后,应及时向部应急办报告。

5. Response and Disposition

5.1 Classified responses

Public Internet Network Security Emergency responses are divided into four levels: Levels 1,2,3,and 4; corresponding with especially major, major, larger, or normal incidents that have occurred.

5.2 Initial Disposition

公共互联网网络安全突发事件发生后,事发单位在按照本预案规定立即向电信主管部门报告的同时,应当立即启动本单位应急预案,组织本单位应急队伍和工作人员采取应急处置措施,尽最大努力恢复网络和系统运行,尽可能减少对用户和社会的影响,同时注意保存网络攻击、网络入侵或网络病毒的证据。

5.3 initiating Responses

Level 1 response is to be initiated on the bases of relevant national decisions or on the approval of the leading small group, with the leading small group uniformly commanding and coordinating.

Level 2 response is initiated by the Ministry Emergency Response Office, with the Ministry Emergency Response Office uniformly commanding and coordinating.

Level 3 and Level 4 responses are initiated by decision of provincial (autonomous region, directly-governed municipality) Communications Management Bureau, which is responsible for command and coordination.

启动I级、II级响应后,部应急办立即将突发事件情况向国家网络安全应急办公室等报告;部应急办和相关单位进入应急状态,实行24小时值班,相关人员保持联络畅通,相关单位派员参加部应急办工作;视情在部应急办设立应急恢复、攻击溯源、影响评估、信息发布、跨部门协调、国际协调等工作组。

启动III级、IV级响应后,相关省(自治区、直辖市)通信管理局应及时将相关情况报部应急办。

5.4 Situation Tracking

启动I级、II级响应后,事发单位和网络安全专业机构、网络安全企业应当持续加强监测,跟踪事态发展,检查影响范围,密切关注舆情,及时将事态发展变化、处置进展情况、相关舆情报部应急办。 省(自治区、直辖市)通信管理局立即全面了解本行政区域受影响情况,并及时报部应急办。 基础电信企业、域名机构、互联网企业立即了解自身网络和系统受影响情况,并及时报部应急办。

启动III级、IV级响应后,相关省(自治区、直辖市)通信管理局组织相关单位加强事态跟踪研判。

5.5 Deployment Decisions

启动I级、II级响应后,部领导小组或部应急办紧急召开会议,听取各相关方面情况汇报,研究紧急应对措施,对应急处置工作进行决策部署。

针对突发事件的类型、特点和原因,要求相关单位采取以下措施:带宽紧急扩容、控制攻击源、过滤攻击流量、修补漏洞、查杀病毒、关闭端口、启用备份数据、暂时关闭相关系统等;对大规模用户信息泄露事件,要求事发单位及时告知受影响的用户,并告知用户减轻危害的措施;防止发生次生、衍生事件的必要措施;其他可以控制和减轻危害的措施。

做好信息报送。 及时向国家网络安全应急办公室等报告突发事件处置进展情况;视情况由部应急办向相关职能部门、相关行业主管部门通报突发事件有关情况,必要时向相关部门请求提供支援。 视情况向外国政府部门通报有关情况并请求协助。

注重信息发布。 及时向社会公众通告突发事件情况,宣传避免或减轻危害的措施,公布咨询电话,引导社会舆论。 未经部应急办同意,各相关单位不得擅自向社会发布突发事件相关信息。

启动III级、IV级响应后,相关省(自治区、直辖市)通信管理局组织相关单位开展处置工作。 处置中需要其他区域提供配合和支持的,接受请求的省(自治区、直辖市)通信管理局应当在权限范围内积极配合并提供必要的支持;必要时可报请部应急办予以协调。

5.6 Concluding Response

突发事件的影响和危害得到控制或消除后,I级响应根据国家有关决定或经部领导小组批准后结束;II级响应由部应急办决定结束,并报部领导小组;III级、IV级响应由相关省(自治区、直辖市)通信管理局决定结束,并报部应急办。

6. Post-incident briefing

6.1 Investigation and Assessment

公共互联网网络安全突发事件应急响应结束后,事发单位要及时调查突发事件的起因(包括直接原因和间接原因)、经过、责任,评估突发事件造成的影响和损失,总结突发事件防范和应急处置工作的经验教训,提出处理意见和改进措施,在应急响应结束后10个工作日内形成总结报告,报电信主管部门。 电信主管部门汇总并研究后,在应急响应结束后20个工作日内形成报告,按程序上报。

6.2 Awards, Punishments, and Accountability

工业和信息化部对网络安全突发事件应对工作中作出突出贡献的先进集体和个人给予表彰或奖励。

对不按照规定制定应急预案和组织开展演练,迟报、谎报、瞒报和漏报突发事件重要情况,或在预防、预警和应急工作中有其他失职、渎职行为的单位或个人,由电信主管部门给予约谈、通报或依法、依规给予问责或处分。 基础电信企业有关情况纳入企业年度网络与信息安全责任考核。

7.Prevention and Response Preparation

7.1 Prevention and Protection

基础电信企业、域名机构、互联网企业应当根据有关法律法规和国家、行业标准的规定,建立健全网络安全管理制度,采取网络安全防护技术措施,建设网络安全技术手段,定期进行网络安全检查和风险评估,及时消除隐患和风险。 电信主管部门依法开展网络安全监督检查,指导督促相关单位消除安全隐患。

7.2 Emergency Response Drills

电信主管部门应当组织开展公共互联网网络安全突发事件应急演练,提高相关单位网络安全突发事件应对能力。 基础电信企业、大型互联网企业、域名机构要积极参与电信主管部门组织的应急演练,并应每年组织开展一次本单位网络安全应急演练,应急演练情况要向电信主管部门报告。

7.3 Publicity and Training

电信主管部门、网络安全专业机构组织开展网络安全应急相关法律法规、应急预案和基本知识的宣传教育和培训,提高相关企业和社会公众的网络安全意识和防护、应急能力。 基础电信企业、域名机构、互联网企业要面向本单位员工加强网络安全应急宣传教育和培训。 鼓励开展各种形式的网络安全竞赛。

7.4 Tactics Construction

工业和信息化部规划建设统一的公共互联网网络安全应急指挥平台,汇集、存储、分析有关突发事件的信息,开展应急指挥调度。 指导基础电信企业、大型互联网企业、域名机构和网络安全专业机构等单位规划建设本单位突发事件信息系统,并与工业和信息化部应急指挥平台实现互联互通。

7.5 Tools and Components

基础电信企业、域名机构、互联网企业和网络安全专业机构应加强对木马查杀、漏洞检测、网络扫描、渗透测试等网络安全应急装备、工具的储备,及时调整、升级软件硬件工具。 鼓励研制开发相关技术装备和工具。

8. Safeguard Measures

8.1 Implementation Responsibility

各省(自治区、直辖市)通信管理局、基础电信企业、域名机构、互联网企业、网络安全专业机构要落实网络安全应急工作责任制,把责任落实到单位领导、具体部门、具体岗位和个人,建立健全本单位网络安全应急工作体制机制。

8.2 Funding Safeguards

工业和信息化部为部应急办、各省(自治区、直辖市)通信管理局、网络安全专业机构开展公共互联网网络安全突发事件应对工作提供必要的经费保障。 基础电信企业、域名机构、大型互联网企业应当安排专项资金,支持本单位网络安全应急队伍建设、手段建设、应急演练、应急培训等工作开展。

8.3 Team Construction

网络安全专业机构要加强网络安全应急技术支撑队伍建设,不断提升网络安全突发事件预防保护、监测预警、应急处置、攻击溯源等能力。 基础电信企业、域名机构、大型互联网企业要建立专门的网络安全应急队伍,提升本单位网络安全应急能力。 支持网络安全企业提升应急支撑能力,促进网络安全应急产业发展。

8.4 Social Forces

建立工业和信息化部网络安全应急专家组,充分发挥专家在应急处置工作中的作用。 从网络安全专业机构、相关企业、科研院所、高等学校中选拔网络安全技术人才,形成网络安全技术人才库。

8.5 International Cooperation

工业和信息化部根据职责建立国际合作渠道,签订国际合作协议,必要时通过国际合作应对公共互联网网络安全突发事件。 鼓励网络安全专业机构、基础电信企业、域名机构、互联网企业、网络安全企业开展网络安全国际交流与合作。

9. Supplementary Provisions

9.1 Plan Management

本预案原则上每年评估一次,根据实际情况由工业和信息化部适时进行修订。

各省(自治区、直辖市)通信管理局要根据本预案,结合实际制定或修订本行政区域公共互联网网络安全突发事件应急预案,并报工业和信息化部备案。

基础电信企业、域名机构、互联网企业要制定本单位公共互联网网络安全突发事件应急预案。 基础电信企业、域名机构、大型互联网企业的应急预案要向电信主管部门备案。

 

Tip Us!
About China Law Translate 548 Articles
CLT is a crowdsourced, crowdfunded legal translation project that enables English speaking people to better understand Chinese law.

Be the first to comment

Leave a Reply

Your email address will not be published.


*