Report query Sign in | register
  1. home page
  2. laws and regulations
  3. Regulations on Security Management of Internet Government Applications

Regulations on Security Management of Internet Government Applications

Release time: 14:11, May 23, 2024 Share to:

Regulations on Security Management of Internet Government Applications

(Formulated by the Office of the Central Cybersecurity and Informatization Commission, the Office of the Central Organization Committee, the Ministry of Industry and Information Technology, and the Ministry of Public Security on February 19, 2024, and released on May 15, 2024)

general provisions

Article 1 In order to ensure the security of Internet government applications, these regulations are formulated in accordance with the Network Security Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, and the Implementation Measures of the Network Security Responsibility System of the Party Committee (Party Leadership Group).

Article 2 Party and government organs and public institutions at all levels (hereinafter referred to as "organs and public institutions") shall abide by these Provisions when building and operating Internet government applications.

The Internet government applications referred to in these Provisions refer to portal websites set up by government agencies and institutions on the Internet, mobile applications (including small programs), public accounts, etc. that provide public services through the Internet, and Internet e-mail systems.

Article 3 The construction and operation of Internet government applications shall comply with the provisions of relevant laws and administrative regulations as well as the mandatory requirements of national standards, implement the principle of "synchronous planning, synchronous construction and synchronous use" of network security and Internet government applications, take technical measures and other necessary measures to prevent content tampering, attack paralysis, data theft and other risks, Ensure the safe and stable operation of Internet government applications and data security.

Chapter II Establishment and Construction

Article 4 When opening a website, government agencies and institutions shall complete the review and filing of the website according to procedures. A party and government organ can set up at most one portal website.

The central organization establishment management department, the telecommunications department of the State Council, and the public security department of the State Council strengthen data sharing, optimize work processes, reduce the filling materials, and shorten the start-up cycle.

When opening a website, government organs and institutions shall incorporate the operation and maintenance and safety guarantee funds into their budgets.

Article 5 In principle, only one Chinese domain name and one English domain name should be registered on a website of a party and government organ, and the domain name should be suffixed with ". gov.cn" or ". government affairs". The website of non party and government organs shall not register and use the domain name of ". gov.cn" or ". government".

The domain name of the website of the public institution shall be suffixed with ". cn" or ". commonweal".

Government agencies and institutions shall not transfer the registered website domain name to other units or individuals for use without authorization.

Article 6 Mobile applications of government institutions shall be distributed on the filed application distribution platform or website of government institutions.

Article 7 The organization establishment management department shall prepare and issue exclusive electronic certificates or paper certificates for institutions. When distributing mobile applications through application distribution platforms, government agencies and institutions should provide platform operators with electronic certificates or paper certificates for identity verification; When opening microblog, public account, video account, live broadcast account and other public accounts, the platform operator shall be provided with electronic certificate or paper certificate for identity verification.

Article 8 The name of the Internet government application shall give priority to the name of the entity and the standardized abbreviation. If other names are used, in principle, the name of the region plus the name of the responsibility shall be adopted, and the name of the entity shall be marked in a prominent position. The specific naming criteria shall be formulated by the central organization's preparation management department.

Article 9 The central institution staffing management department shall set up exclusive online signs for government organs and institutions, which shall not be used by non government organs and institutions.

The website of government organs and institutions shall be marked with online logo in the middle of the bottom of the home page. The Office of the Central Network Security and Informatization Commission, together with the central organization's preparation and management department, coordinates the application distribution platform and the public account information service platform, and annotates the online logo on the mobile application download page and the prominent position of the public account.

Article 10 All regions and departments should make overall plans for the construction of the websites of the Party and government organs in their own regions and departments, and promote intensive construction.

In principle, each department of the party and government organs at the county level and the party and government organs at the township level do not build a website separately, but can use the website platform of the superior party and government organs to open pages, columns and release information.

Article 11 Internet government applications should support open standards, fully consider the compatibility with the user end, and should not require users to use specific browsers, office software and other user end hardware and software systems to access.

Government organs and institutions that provide public services through the Internet shall not bind to a single Internet platform, and shall not take users' downloading, installation, registration and use of a specific Internet platform as a prerequisite for obtaining services.

Article 12 If the Internet government application needs to change its main body due to institutional adjustment and other reasons, the domain name or registration information shall be changed in a timely manner. If it is no longer used, it shall timely shut down the service, complete the data archiving and deletion, and cancel the domain name and registration information.

Chapter III Information Security

Article 13 When releasing information through Internet government affairs applications, government organs and institutions should improve the information release review system, clarify the review procedures, designate institutions and personnel on the payroll to be responsible for the review work, and establish review record files; It shall ensure the authority, authenticity, accuracy, timeliness and seriousness of the information content released, and prohibit the release of illegal and bad information.

Article 14 The information reprinted by government organs and institutions through Internet government applications should be related to government affairs and other activities to perform functions, and the authenticity and objectivity of the content should be evaluated. The reprint page should accurately and clearly mark the reprint source website, reprint time, reprint link, etc., and give full consideration to the protection of intellectual property rights such as pictures and content.

Article 15 If the information content released by government organs and institutions needs to be linked to non Internet government applications, they should confirm that the linked resources are related to government affairs and other activities to perform functions, or belong to the scope of convenience services; The validity and applicability of links should be checked regularly, and abnormal links should be handled in a timely manner. The portal website of the party and government organs should take technical measures to give clear prompts when users click the link to jump to the website of non party and government organs.

Article 16 Organs and institutions shall take security and confidentiality prevention and control measures, strictly prohibit the release of state secrets and work secrets, and prevent the risk of disclosure caused by the aggregation and association of Internet government application data. It is necessary to strengthen the confidentiality management of the storage, processing and transmission of work secrets of Internet government applications.

Chapter IV Network and Data Security

Article 17 The construction of Internet government applications should implement the network security grading protection system and the national password application management requirements, carry out grading filing and grading evaluation according to relevant standards and specifications, implement rectification and reinforcement measures for security construction, and prevent network and data security risks.

The portal websites of the central and state organs, local party and government organs at or above the prefecture level, as well as the websites of organs and institutions carrying important business applications, Internet e-mail systems, etc., should meet the requirements of the third level of network security protection.

Article 18 Organs and institutions shall, on their own or by entrusting a third party network security service institution with appropriate qualifications, conduct at least one security inspection and assessment on the network and data security of Internet government applications every year.

The security inspection and assessment shall be carried out before the Internet government affairs application system is launched online for upgrading, adding new functions and introducing new technologies and applications.

Article 19 Internet government applications should set access control policies. For the functions and Internet e-mail systems used by the staff of government agencies and institutions, access restrictions should be imposed on the IP address segments or devices accessed. If it is really necessary to access abroad, access rights for specific periods of time, specific devices or accounts should be opened according to the white list method.

Article 20 Organs and institutions shall keep the operation logs of firewalls, hosts and other equipment related to Internet government applications, as well as the access logs of application systems and database operation logs for at least one year, and regularly back up the logs to ensure the integrity and availability of the logs.

Article 21 Government organs and institutions shall, in accordance with the requirements of the state and the industry for data security and personal information protection, manage the Internet government application data by category and level, and focus on the protection of important data, personal information and trade secrets.

Article 22 The personal information, trade secrets and other unpublished data collected by government departments and institutions through Internet government applications shall not be provided or disclosed to a third party without the consent of the information provider, nor used for purposes other than performing legal duties.

Article 23 The data center and cloud computing service platform that provide services for Internet government applications shall be located in China.

Article 24 When building Internet government application procurement cloud computing services, party and government organs should select cloud platforms that have passed the national cloud computing service security assessment, and strengthen the use management of cloud computing services purchased.

Article 25 When government agencies and institutions entrust outsourcing units to carry out the development and operation and maintenance of Internet government applications, they should clarify the network and data security responsibilities of outsourcing units by means of contracts and other means, and strengthen daily supervision, management, assessment and accountability; Urge the outsourcing unit to use, store and process data in strict accordance with the agreement. Without the consent of the entrusted organ or institution, the outsourcing unit shall not subcontract or subcontract the tasks, and shall not access, modify, disclose, use, transfer or destroy the data.

Organs and institutions shall establish a strict authorization access mechanism. The top administrator authority of the operating system, database, computer room, etc. must be in the charge of the unit's staff, and shall not entrust outsourcing unit personnel to manage and use without authorization; The outsourcing unit personnel shall be subject to refined authorization according to the principle of minimum necessity, and the authority shall be withdrawn in a timely manner after the expiration of authorization.

Article 26 Organs and institutions shall reasonably build or use socialized professional disaster recovery facilities to carry out disaster recovery backup for important data and information systems of Internet government applications.

Article 27 Government organs and institutions should strengthen the security management of Internet government application development, and the use of external codes should be subject to security testing. Establish a business continuity plan to prevent the risk of upgrading, operation and maintenance assurance due to changes in supplier services.

Article 28 If Internet government applications use CDN services, they should require service providers to point the domain name resolution addresses of domestic users to their domestic nodes, not to overseas nodes.

Article 29 Internet government applications shall be accessed through secure connection, and the involved electronic authentication services shall be provided by the legally established electronic government authentication service agencies.

Article 30 Internet government applications shall authenticate the real identity information of registered users. The State encourages Internet government applications to support users to register real identity information using the national network identity authentication public service.

For Internet government applications and e-mail systems related to personal and property security, social and public interests, etc., multi factor identification should be taken to improve security, and technical measures such as overtime exit, limiting the number of login failures, and binding accounts to terminals should be taken to prevent the risk of account theft, and electronic certificates and other identity authentication measures should be encouraged.

Chapter V E-mail Security

Article 31 All regions and departments are encouraged to build a dedicated Internet e-mail system for government agencies and institutions through a unified construction and shared use model to serve as a working mailbox and provide e-mail services for government agencies and institutions in their own regions and industries. The domain name of the Internet e-mail system built by the party and government organs shall be suffixed with ". gov.cn" or ". government affairs", and the domain name of the Internet e-mail system built by public institutions shall be suffixed with ". cn" or ". public welfare".

Staff members of government organs and institutions shall not use their work mailboxes to store, process, transmit and forward state secrets in violation of regulations.

Article 32 Organs and institutions shall establish procedures for application, issuance, change and cancellation of working email accounts, strictly approve and register accounts, and regularly clean up accounts.

Article 33 The Internet e-mail system of government organs and institutions shall turn off the functions of automatic forwarding and automatic downloading of attachments.

Article 34 The Internet e-mail system of government agencies and institutions should have the function of detecting and intercepting malicious e-mail (including the e-mail sent internally by the unit), detecting and intercepting malicious e-mail accounts, malicious e-mail server IP, and malicious e-mail subject, body, link, attachment, etc. It shall support the sharing of phishing email threat intelligence, report the discovered phishing email information to the competent department and the local network information department, and configure corresponding protection strategies to preset the interception of phishing emails according to the phishing email threat intelligence issued by the relevant departments.

Article 35 Encourage government agencies and institutions to protect the storage of e-mail data based on commercial password technology.

Chapter VI Monitoring, Early Warning and Emergency Response

Article 36 The Office of the Central Network Security and Information Technology Commission, together with the competent department of telecommunications, the public security department and other relevant departments of the State Council, organizes security monitoring of Internet government applications of party and government organs at the prefecture level and above.

All regions and departments shall carry out daily monitoring and security inspection on the Internet government affairs applications of local authorities and institutions in their respective industries.

Government organs and institutions should establish and improve the security monitoring capability of Internet government applications, and monitor the operation status of Internet government applications and network security events in real time.

Article 37 When network security incidents occur in Internet government applications, government agencies and institutions shall report to relevant departments in accordance with relevant regulations.

Article 38 The Office of the Central Cybersecurity and Information Technology Commission coordinates the emergency response of major cyber security incidents.

When a network security incident occurs or may occur in the Internet government application, the government organs and institutions shall immediately launch their own network security emergency plans, deal with network security incidents in a timely manner, eliminate security risks and prevent the spread of hazards.

Article 39 The organization establishment management department, together with the network information department, carries out scanning and monitoring of counterfeit Internet government applications, and accepts relevant complaints and reports. The network information department, together with the competent telecommunications department, timely takes measures to stop domain name resolution, block Internet connection and offline processing of counterfeit Internet government applications found by monitoring or reported by Internet users. The public security department is responsible for combating illegal and criminal activities related to counterfeiting Internet government applications.

Chapter VII Supervision and Management

Article 40 The Office of the Central Network Security and Information Technology Commission is responsible for coordinating the security management of Internet government applications. The central organization establishment management department is responsible for the identity verification, name management and logo management of the Internet government application launch subject. The competent telecommunications department of the State Council is responsible for the supervision and administration of domain names for Internet government applications and the filing of Internet Information Services (ICP). The public security department of the State Council is responsible for supervising, inspecting and guiding the network security level protection and related security management of Internet government applications.

All regions and departments shall assume the responsibility for the security management of Internet government applications in their own regions and industries, designate a person in charge to take charge of relevant work, and strengthen the organization and leadership of Internet government applications.

Article 41 For those who violate or fail to correctly fulfill the relevant requirements of this provision, the responsibility of the parties and relevant leaders shall be investigated in accordance with regulations and disciplines in accordance with the Measures for the Implementation of the Network Security Responsibility System of the Party Committee (Party Leadership Group) and other documents.

Chapter VIII Supplementary Provisions

Article 42 The security management of Internet portals, mobile applications, public accounts and e-mail systems listed in the key information infrastructure shall be implemented with reference to the relevant contents of these Provisions.

Article 43 The Office of the Central Network Security and Information Technology Commission, the Office of the Central Organization Committee, the Ministry of Industry and Information Technology, and the Ministry of Public Security are responsible for the interpretation of this provision.

Article 44 These Provisions shall come into force as of July 1, 2024.

(Source: "Nettrust China")

(Link: https://mp.weixin.qq.com/s/TLDGo-a0DbWydob7LLP6-Q

Introduction Suggestions from netizens Online comments One click reporting Report query

Organizer: Zhejiang Internet Information Office Filing: ZheICPB No. 16024883     

Report Tel.: 0577-88966081 Report E-mail: wz_jubaomail@163.com

It is recommended to use 1366 * 768 resolution/IE9.0 or above browser to access for the best effect