【中英文对照版】互联网政务应用安全管理规定.docx

互联网政务应用安全管理规定AdministrativeProvisionsontheSecurityofInternetGovernmentAffairsApplications制定机关：中央网络安仝和信息化会贡会办公空中央机构俄制会员会办公室工业和信息化部公安部公布日期：2024.05.15施行日期：2024.07.01效力位汾：部门视冠性文件法规臭别：网络安全管理IssuingAuthorityOfficeoftheCentralCybcrspaccAflairsCommissionSlateCommissionOfficefarPublicSectorRefonnMiniSlryOflndU§ry&InformationTechnologyMinistryofPublicSecurityDateIssued：05-15-2024EffectiveDate：07-01-20241.evelofAuthorityDepanmentalRegukHoryDocumentsArCaOfI-aw:NetworkSecurityManagement互联网政务应并安全管理规定AdministrativeProvisionsontheSecurityofInternetGovernmentAffairsApplications（2024年2月19日中央网络安全和信息化委员会办公室、中央机构编制委员会办公室、工业和信息化部、公安部制定2024年5月15日发布）(DevelopedbytheOfficeoftheCentralCyberspaceAffairsCommission,theStateCommissionOfficeforPublicSectorsReform,theMinistryofIndustryandInformationTechnology,andtheMinistryofPublicSecurityonFebruary19,2024andissuedonMay15,2024)第一章总则第一条为保障互联网政务应用安全，根据中华人民共和国网络安全法中华人民共和国数据安全法中华人民共和国个人信息保护法党委（党组）网络安全工作责任制实施办法等，制定本Chapter I GeneralProvisionsArticle1TheseProvisionsaredevelopedinaccordancewiththeCybersecurity1.awofthePeople'sRepublicofChina,theDataSecurity1.awofthePeople'sRepublicofChina,thePersonalInformationProtection1.awofthePeople'sRepublicofChina,andtheMeasuresfortheImplementationoftheResponsibilitySystemforCybersecurityWorkofthePartyCommittee(PartyGroup),amongothers,forthepurposeofensuringthesecurityof规定。Internetgovernmentapplications.Article2Partyandgovernmentorgansandpublicinstitutionsatalllevels("organsandpublicinstitutions")shallcomplywiththeseProvisionsintheconstructionandoperationofInternetgovernmentaffairsapplications.ForthepurposesoftheseProvisions,"Internetgovernmentaffairsapplications"meansthemobileapplications(includingminiprograms),andofficialaccounts,amongothers,throughwhichpublicservicesareprovidedthroughtheInternetbyportalwebsitesestablishedbyorgansandpublicinstitutionsontheInternet,aswellasInternetemailsystems.Article3TheconstructionandoperationofInternetgovernmentaffairsapplicationsshallcomplywiththeprovisionsofrelevantlawsandadministrativeregulationsaswellasthecompulsoryrequirementsofnationalstandards,followtheprinciplesof"simultaneousplanning,simultaneousconstruction,andsimultaneoususe"forcybersecurityandInternetgovernmentaffairsapplications,andtechnicalmeasuresandothernecessarymeasuresshallbetakentopreventanycontenttampering,paralysiscausedbyattack,datatheft,andotherrisks,andensurethesafeandstableoperationofInternetgovernmentaffairsapplicationsanddatasecurity.Chapter II EstablishmentandConstruction第二条各级党政机关和事业单位（简称机关事业单位）建设运行互联网政务应用，应当遵守本规定。本规定所称互联网政务应用，是指机关事业单位在互联网上设立的门户网站，通过互联网提供公共服务的移动应用程序（含小程序）、公众账号等，以及互联网电子邮件系统。第三条建设运行互联网政务应用应当依照有关法律、行政法规的规定以及国家标准的强制性要求，落实网络安全与互联网政务应用“同步规划、同步建设、同步使用”原则，采取技术措施和其他必要措施，防范内容篡改、攻击致瘫、数据窃取等风险，保障互联网政务应用安全稳定运行和数据安全。第二章开办和建设第四条机关事业单位开办网站应当按程序完成开办审核和备案工作。一个党政机关最多开设一个门户网站。Article4Anorganorpublicinstitutionintendingtoestablishawebsiteshallcompletetheexaminationandrecordationworkaccordingtoprocedures.Anorganorpublicinstitutionmayopenoneportalwebsiteatmost.ThepublicsectorsreformdepartmentofacentralorganandthetelecommunicationsdepartmentandthepublicsecuritydepartmentoftheStateCouncilshallstrengthendatasharing,optimizetheworkprocess,reducethematerialstobesubmitted,andshortentheestablishmentperiod.Anorganorpublicinstitutionthatestablishesawebsiteshallincludethefundsforoperation,maintenance,andsecurityinitsbudget.Article5Inprinciple,onlyoneChinesedomainnameandoneEnglishdomainnamemayberegisteredforthewebsiteofaPartyorgovernmentorgan.Adomainnameshalltake,"or".governmentaffairs"asthesuffix.Thewebsiteofanon-Partyorgovernmentorganmaynotregisterorusethedomainnameof*,"or".governmentaffairs".Thedomainnameofthewebsiteofapublicinstitutionshalltake".cn"or.publicinterest"asthesuffix.Withoutapproval,anorganorpublicinstitutionshallnottransfertheregistereddomainnameofawebsitetoanyotherentityorindividualforuse.Article 6 Themobileapplicationsofanorganorpublicinstitutionshallbedistributedonthefiledapplicationdistributionplatformorthewebsiteoftheorganorpublicinstitution.中央机构编制管理部门、国务院电信部门、国务院公安部门加强数据共享，优化工作流程，减少填报材料，缩短开办周期。机关事业单位开办网站，应当将运维和安全保漳经费纳入预算。第五条一个党政机关网站原则上只注册一个中文域名和一个英文域名，域名应当以”m或".政务”为后缓。非党政机关网站不得注册使用"”或“政务”的域名。事业单位网站的域名应当以”.cn”或“.公益”为后缀。机关事业单位不得将已注册的网站域名擅自转让绐其他单位或个人使用。笫六条机关事业单位移动应用程序应当在已备案的应用程序分发平台或机关事业单位网站分发。笫七条机构编制管理部Article 7 Thepublicsectorsreformdepartmentshallprepareandissuespecialelectronicorpapercertificatesfororgansandpublicinstitutions.Whendistributingamobileapplicationthroughanapplicationdistributionplatform,anorganorpublicinstitutionshallprovideanelectronicorpapercertificatetotheplatformoperatorforidentityverification.ToopenaWeiboaccount,publicaccount,videoaccount,Iivestreamingaccount,oranyotherofficialaccount,anorganorpublicinstitutionshallprovideanelectronicorpapercertificatetotheplatformoperatorforidentityverification.Article 8 ThenameofanInternetgovernmentaffairsapplicationshallprioritizetheuseoftheentity'snameoritsstandardizedabbreviation.Ifanyothernameisused,themethodofcombiningthenameoftheregionanddutiesshallbeadoptedinprinciple,andtheentitynameshallbeindicatedinaconspicuousposition.Thespecificnamingrulesshallbedevelopedbythepublicsectorsreformdepartmentofacentralorgan.Article 9 Thepublicsectorsreformdepartmentofacentralorganshallassignanexclusiveonlineidentifierforanorganorpublicinstitution,whichmaynotbeusedbyanon-organorpublicinstitution.门为机关事业单位制发专属电子证书或纸质证书。机关事业单位通过应用程序分发平台分发移动应用程序，应当向平台运营者提供电子证书或纸质证书用于身份核验；开办微博、公众号、视频号、直播号等公众账号，应当向平台运营者提供电子证书或纸质证书用于身份核验。笫八条互联网政务应用的名称优先使用实体机构名称、规范简称，使用其他名称的，原则上采取区域名加职责名的命名方式，并在显著位置标明实体机构名称。具体命名规范由中央机构编制管理部门制定。笫九条中央机构编制管理部门为机关事业单位设置专属网上标识，非机关事业单位不得使用。机关事业单位网站应当在首页底部中间位置加注网上标识。中央网络安全和信息化委员会办公室会同中央机构编制管理部门协调应用程序分发平台以及公众账号信息服务平台，在移动应用程序下载页面、公众账号显著位置加注网上标识。Thewebsiteofanorganorpublicinstitutionshalladdtheonlineidentifierinthemiddleofthebottomofthehomepage.TheOfficeoftheCentralCyberspaceAffairsCommissionshall,inconjunctionwiththepublicsectorsreformdepartmentofacentralorgan,coordinatewithapplicationdistributionplatformsandofficialaccountinformationserviceplatforms,andaddtheonlineidentifierataprominentpositionofthedownloadpageofthemobileapplicationandtheofficialaccount.Article 10 AllregionsanddepartmentsshallmakeoverallplanningfortheconstructionofwebsitesofPartyandgovernmentorganswithintheirrespectiveregionsanddepartmentstopromoteintensiveconstruction.AlldepartmentsofPartyandgovernmentorgansatthecountylevelandPartyandgovernmentorgansoftownshipsshallnotestablishseparatewebsitesinprinciple,andmayusethewebsiteplatformsofPartyandgovernmentorgansathigherlevelstoopenwebpages,columns,andreleaseinformation.Article 11 Internetgovernmentaffairsapplicationsshallsupportopenstandards,fullyconsiderthecompatibilitywithuserterminals,andusersshallnotberequiredtousespecificbrowsers,officesoftware,orotherhardwareandsoftwaresystemsofuserterminalsforaccess.AnorganorpublicinstitutionprovidingpublicservicesthroughtheInternetshallnotbindtoasingleInternetplatform,andshallnottakeusers'downloading,installation,registration,anduseofaspecificInternetplatformasthepreconditionforaccesstoservices.第十条各地区、各部门应当对本地区、本部门党政机关网站建设进行整体规划，推进集约化建设。县级党政机关各部门以及乡镇党政机关原则上不单独建设网站，可利用上级党政机关网站平台开设网页、栏目、发布信息。笫十一条互联网政务应用应当支持开放标准，充分考虑对用户端的兼容性，不得要求用户使用特定浏览器、办公软件等用户端软硬件系统访问。机关事业单位通过互联网提供公共服务，不得绑定单一互联网平台，不得将用户下载安装、注册使用特定互联网平台作为获取服务的前提条件。第十二条互联网政务应用因机构调整等原因需变更开办主体的，应当及时变更域名或注册备案信息。不再使用的，应当及时关闭服务，完成数据归档和阳除，注销域名和注册备案信息。Article 12 WheretheoperatorofanInternetgovernmentaffairsapplicationneedstobechangedduetoinstitutionaladjustmentoranyotherreason,thedomainnameorregistrationandrecordationinformationshallbemodifiedinatimelymanner.Iftheapplicationisnolongerused,servicesshallbeterminatedpromptly,datarecordationanddeletionshallbecompleted,anddomainnameandregistrationandrecordationinformationshallbederegistered.Chapter III InformationSecurityArticle13WhenreleasinginformationthroughInternetgovernmentaffairsapplications,anorganorpublicinstitutionshallimproveitsinformationreleasereviewrules,specifyreviewprocedures,designateinstitutionsandpersonneltoberesponsibleforthereview,andestablishreviewrecordsandarchives.Itshallensuretheauthority,veracity,accuracy,timeliness,andseriousnessofthecontentoftheinformationtobereleased,andshallnotreleaseanyillegalorharmfulinformation.Article14TheinformationreprintedbyanorganorpublicinstitutionthroughInternetgovernmentaffairsapplicationsshallberelatedtogovernmentaffairsandotheractivitiesofperformingtheirfunctions,andtheveracityandobjectivityofcontentshallbeaccessed.Thereprintedwebpageshallaccuratelyandclearlyindicatethesourcewebsite,reprintingtime,andreprintinglink,amongothers,andintellectualpropertyprotectionissuesconcerningpicturesandcontent,amongothers,shallbefullyconsidered.第三章信息安全第十三条机关事业单位通过互联网政务应用发布信息，应当健全信息发布审核制度，明确审核程序，指定机构和在编人员负责审核工作，建立审核记录档案；应当确保发布信息内容的权威性、真实性、准确性、及时性和严肃性，严禁发布违法和不良信息。第十四条机关事业单位通过互联网政务应用转载信息，应当与政务等履行职能的活动相关，并评估内容的真实性和客观性。转载页面上要准确清晰标注转载来源网站、转栽时间、转载链接等，充分考虑图片、内容等知识产权保护问题。第十五条机关事业单位发布信息内容需要链接非互联网政务应用的，应当确认链接的资源与政务等履行职能的活动相关，或属于便民服务的范围；应当定期检查链接的有效性和适用性，及时处置异常链接。党政机关门户网站应当采取技术措施，做到在用户点击链接跳转到非党政机关网站时，予以明确提示。Article15Whereanorganorpublicinstitutionneedstolinkinformationwithnon-lnternetgovernmentaffairsapplicationsinreleasinginformationcontent,itshallconfirmthatthelinkedresourcesarerelatedtogovernmentaffairsandotheractivitiesofperformingtheirfunctionsorfallwithinthescopeofconvenientservices.Itshallregularlychecktheeffectivenessandapplicabilityofthelinksandpromptlydealwithabnormallinks.Theportalwebsiteofanorganorpublicinstitutionshalltaketechnicalmeasurestogiveclearinstructionswhenusersclickthelinktojumptothewebsiteofanon-Partyorgovernmentorgan.Article16Anorganorpublicinstitutionshalltakesecurityandconfidentialitymeasures,strictlyprohibitthereleaseofstatesecretsandworksecrets,andpreventtherisksofdataleakagecausedbytheaggregationandcorrelationofInternetgovernmentaffairsapplicationdata.Itshallstrengthentheconfidentialitymanagementofworksecretsstored,processed,andtransmittedthroughInternetgovernmentaffairsapplications.Chapter IV CybersecurityandDataSecurityArticle17IntheconstructionofInternetgovernmentaffairsapplications,thecybersecuritygradedprotectionsystemandnationalencryptionapplicationmanagementrequirementsshallbeimplemented,graderecordationandratingassessmentshallbeconductedinaccordancewiththerelevantstandardsandspecifications,andrectificationandreinforcementmeasuresforsecurityconstructionshallbeimplemented,soastopreventcybersecurityanddatasecurityrisks.TheportalwebsitesofcentralandstateorgansandlocalPartyandgovernmentorgansatorabovetheprefecturelevel,andthewebsitesandInternetemailsystems,amongothers,oforgansandpublicinstitutionswithimportantbusinessapplicationsshallsatisfyGradeIIIsecurityprotectionrequirementsforgradedcybersecurityprotection.笫十六条机关事业单位应当采取安全保密防控措施，严禁发布国家秘密、工作秘密，防范互联网政务应用数据汇聚、关联引发的泄密风险。应当加强对互联网政务应用存储、处理、传输工作秘密的保密管理。第四章网络和数据安全第十七条建设互联网政务应用应当落实网络安全等级保护制度和国家密码应用管理要求，按照有关标准规范开展定级备案、等级测评工作，落实安全建设整改加固措施，防范网络和数据安全风险。中央和国家机关、地市级以上地方党政机关门户网站，以及承载重要业务应用的机关事业单位网站、互联网电子邮件系统等，应当符合网络安全等级保护第三级安全保护要求。第十八条机关事业单位应当自行或者委托具有相应资质的第三方网络安全服务机构，对互联网政务应用网络和数据安全每年至少进行一次安全检测评估。Article18AnorganorpublicinstitutionshallconductthetestingandassessmentofcybersecurityanddatasecurityofInternetgovernmentaffairsapplicationsatleastonceayearbyitselforentrustathird-partycybersecuritysen/iceinstitutionwiththecorrespondingqualificationtodoso.Fortheupgrading,increaseofnewfunctions,andintroductionofnewtechnologiesandnewapplicationsbytheInternetgovernmentaffairsapplicationsystem,securitytestingandassessmentshallbeconductedbeforeitislaunchedonline.Article19AccesscontrolstrategiesshallbedevelopedforInternetgovernmentaffairsapplications.ForfunctionsandInternetemailsystemsusedbytheemployeesofgovernmentandpublicinstitutions,accessrestrictionsshallbeimposedontheIPaddressesorequipmenttobeaccessed;andifoverseasaccessisindeednecessary,theauthoritytoaccessspecificequipmentoraccountsforaspecificperiodshallbegrantedaccordingtothewhitelist.Article20Anorganorpublicinstitutionshallretaintheoperationlogsoffirewalls,hosts,andotherequipmentrelatingtoInternetgovernmentaffairsapplications,aswellastheaccesslogsofapplicationsystemsandoperationlogsofdatabasesfornotlessthanoneyear,andregularlybackupthelogstoensuretheircompletenessandavailability.Article21Anorganorpublicinstitutionshall,accordingtotherequirementsofthestateandtheindustryondatasecurityandpersonalinformationprotection,carryoutclassifiedandgradedmanagementofInternetgovernmentaffairsapplicationdata,andfocusontheprotectionofimportantdata,personalinformation,andtradesecrets.互联网政务应用系统升级、新增功能以及引入新技术新应用，应当在上线前进行安全检测评估。第十九条互联网政务应用应当设置访问控制策略。对于面向机关事业单位工作人员使用的功能和互联网电子邮箱系统，应当对接入的IP地址段或设备实施访问限制，确需境外访问的，按照白名单方式开通特定时段、特定设备或账号的访问权限。第二十条机关事业单位应当留存互联网政务应用相关的防火墙、主机等设备的运行日志，以及应用系统的访问日志、数据库的操作日志，留存时间不少于1年，并定期对日志进行备份，确保日志的完整性、可用性。笫二十一条机关事业单位应当按照国家、行业领域有关数据安全和个人信息保护的要求，对互联网政务应用数据进行分类分级管理，对重要数据、个人信息、商业秘密进行重点保护。笫二十二条机关事业单位通过互联网政务应用收集的个人信息、商业秘密和其他未Article 22 Personalinformation,tradesecrets,andothernon-publicinformationcollectedbyanorganorpublicinstitutionthroughInternetgovernmentaffairsapplicationsshallnotbeprovidedordisclosedtoanythirdpartyorusedforanypurposeotherthantheperformanceofstatutorydutieswithouttheconsentoftheinformationprovider.Article 23 Datacentersandcloudcomputingserviceplatforms,amongothers,thatprovideservicesforInternetgovernmentaffairsapplicationsshallbeestablishedwithintheterritoryofChina.Article 24 APartyorgovernmentorgandevelopingInternetgovernmentaffairsapplicationsandpurchasingcloudcomputingservicesshallselectacloudplatformthathaspassedthenationalsecurityassessmentofcloudcomputingservices,andstrengthenthemanagementoftheuseofpurchasedcloudcomputingsen/ices.Article 25 Whenanorganorpublicinstitutionentrustsanoutsourcingentitywiththedevelopment,operation,andmaintenanceofInternetgovernmentaffairsapplications,itshallspecifytheoutsourcingentity'scybersecurityanddatasecurityresponsibilitiesthroughcontractorothermeans,andstrengthendailysupervisionandadministration,assessmentandaccountability;andurgetheoutsourcingentitytouse,store,andprocessdatainstrictaccordancewithagreements.Withouttheconsentoftheauthorizingorganorpublicinstitution,theoutsourcingentityshallnotsubcontractthecontractedtask,oraccess,modify,disclose,use,transfer,ordestroydata.公开资料，未经信息提供方同意不得向第三方提供或公开，不得用于履行法定职责以外的目的。第二十三条为互联网政务应用提供服务的数据中心、云计算服务平台等应当设在境内。笫二十四条党政机关建设互联网政务应用采购云计算服务，应当选取通过国家云计算服务安全评估的云平台，并加强对所采购云计算服务的使用管理。笫二十五条机关事业单位委托外包单位开展互联网政务应用开发和运维时，应当以合同等手段明确外包单位网络和数据安全责任，并加强日常监督管理和考核问责；督促外包单位严格按照约定使用、存储、处理数据。未经委托的机关事业单位同意，外包单位不得转包、分包合同任务，不得访问、修改、披露、利用、转让、销毁数据。机关事业单位应当建立严格的授权访问机制，操作系统、数据库、机房等最高管理员权限必须由本单位在编人员专人负责，不得擅自委托外包单位人Anorganorpublicinstitutionshallestablishastrictauthorizedaccessmechanism,underwhichthehighestadministrator'sauthorityinsuchaspectsastheoperatingsystem,database,andcomputerroommustbeheldbyspeciallyassignedstaffoftheorganorpublicinstitution,andshallnotentrustthestaffofanoutsourcingentitytomanageanduse