Provisions for the security assessment of Internet information services with public opinion or social mobilization capabilities
Release Date: November 15, 2018
Source: China Netcom
The first is to strengthen the safety management has the ability to mobilize public opinion or social attributes of Internet information services and related new technologies and new applications, regulate the Internet information service activities and safeguard national security, social order and the public interest, according to “People’s Republic of China Network Security Law, “Administrative Measures for Internet Information Services” and “Administrative Measures for Security Protection of International Networking of Computer Information Networks”, formulated these regulations.
Article II The term of public property have Internet service or social mobilization, including the following situations:
(1) Establishing information services such as forums, blogs, microblogs, chat rooms, communication groups, public accounts, short videos, webcasts, information sharing, applets or other related services;
(2) Launch other Internet information services that provide channels of public opinion expression or have the ability to mobilize the public to engage in specific activities.
Article III Internet information service providers have one of the following circumstances, it should be carried out in accordance with the provisions of its own safety assessment, and is responsible for evaluating the results:
(1) Information services with public opinion attributes or social mobilization capabilities are launched, or information services have added relevant functions;
(2) The use of new technologies and new applications has caused major changes in the functional attributes, technical implementation methods, and basic resource allocation of information services, resulting in major changes in public opinion attributes or social mobilization capabilities;
(3) Significant increase in the scale of users, leading to major changes in the nature of public opinion or social mobilization capabilities of information services;
(4) The occurrence and spread of illegal and harmful information, indicating that it is difficult to effectively prevent and control cyber security risks with existing security measures;
(5) Other situations where a security assessment is required to be notified in writing by the Internet letter department or the public security organ at the prefectural or municipal level.
Article IV Internet information service providers can implement their own safety assessment, may also entrust the implementation of third-party security assessment bodies.
Article V Internet information service providers to carry out security assessments, should the legitimacy of information services and new technologies and new applications, the implementation of laws and administrative regulations, the effectiveness of safety measures, the provisions of departmental rules and standards, the effectiveness of prevention and control of security risks Carry out a comprehensive assessment of the situation and focus on the following:
(1) Determine the situation of the person in charge of security management, the information reviewer, or the establishment of a security management organization that is compatible with the services provided;
(2) Measures to verify the true identity of users and retention of registration information;
(3) Log information such as the user’s account number, operation time, operation type, network source address and destination address, network source port, client hardware characteristics, and retention measures for the user’s release of information records;
(4) Preventing and disposing of illegal and harmful information and related record-keeping measures in service functions such as user account and communication group name, nickname, profile, remarks, identification, information publishing, forwarding, commenting, and communication group;
(5) Personal information protection and technical measures to prevent the spread of illegal and harmful information and the risk of out-of-control social mobilization functions;
(6) Establishing a complaint and reporting system, publishing information such as complaints and reporting methods, and receiving and processing relevant complaints and reports in a timely manner;
(7) The establishment of working mechanisms that provide technical, data support, and assistance for online information departments to perform their duties of supervision and management of Internet information services according to law;
(8) The establishment of working mechanisms that provide technical, data support and assistance for public security organs and national security organs to safeguard national security and investigate and deal with illegal crimes according to law.
Article VI Internet information service providers in the safety evaluation found a security risk, it should be timely rectification, until the related security risks eliminated.
After the safety assessment meets the laws, administrative regulations, department rules and standards, a safety assessment report shall be formed. The safety assessment report should include the following:
(1) Basic information about the functions, service scope, software and hardware facilities, and deployment locations of Internet information services and the acquisition of relevant licenses;
(2) the implementation of safety management system and technical measures and the effects of risk prevention and control;
(3) conclusions of safety assessment;
(4) Other relevant information that should be explained.
Article VII of Internet information service providers shall assess the safety report to the seat of the municipal departments and the letter to the Internet by the public security organs nationwide Internet security management service platform.
In the case of the first and second situations in Article 3 of these regulations, the Internet information service provider shall submit a security assessment report before the information service, new technology and new application goes online or the function is added; For five or five situations, a safety assessment report should be submitted within 30 working days from the date of the relevant situation.
Article VIII of the municipal department letter to the Internet and public security organs should be based on their respective responsibilities for the safety assessment report written examination.
If it is found that the contents and items of the security assessment report are missing or the security assessment method is obviously inappropriate, the Internet information service provider shall be ordered to re-evaluate within a time limit.
If it is found that the content of the security assessment report is unclear, the Internet information service provider may be ordered to provide additional explanations.
Article IX network department and the public security organs according to the letter written review of the safety assessment report deemed necessary, should be based on their respective responsibilities to carry out spot checks on the Internet information service providers.
The online information department and public security organs shall, in principle, jointly conduct the on-site inspection and shall not interfere with the normal business activities of the Internet information service provider.
Article X of the Internet Information Services there is a big security risk that may affect national security, social order and public interests, should organize experts to provincial departments and public security organs letter online review can be carried out on-site inspections in conjunction with the relevant departments if necessary territorial.
Article XI carried net letter department and the public security organ site inspection shall, administrative regulations, departmental rules and regulations are in accordance with relevant laws.
Article XII net letter department and the public security organs shall establish a monitoring and management system, enhance network security risk management, supervise Internet information service providers to perform network security obligations.
If it is found that an Internet information service provider with public opinion or social mobilization ability fails to conduct a security assessment in accordance with these regulations, the network information department and public security organ shall notify it to conduct a security assessment in accordance with these regulations.
Article XIII net letter department and the public security authorities found that Internet information service providers have the ability to mobilize public opinion or social attributes of refusing to carry out security assessments in accordance with this provision, it should prompt the existence of Internet information service to the public through the National Internet Managed Security Services Platform Security risks, and in accordance with their respective duties to carry out supervision and inspection of the Internet information services, found that there are illegal acts, should be dealt with according to law.
Article XIV Network and Information Department to coordinate Internet Information Services Security assessments have public property or social mobilization, the safety assessment of the work of the public security organs regularly informed Network and Information Department.
Article XV network and Information Department, the public security organs and their staff for state secret in carrying out their duties, trade secrets and personal information should be kept strictly confidential and shall not disclose, sell or illegally provided to others.
Article XVI For Internet News Information Service Safety Evaluation of new applications of new technologies, in accordance with the “Internet News Information Services application security assessment of new technologies and new regulations,” the implementation.
Article XVII of this provision since November 30, 2018 into effect.