《党委(党组)网络安全工作责任制实施办法》
(Approved by the CPC Central Committee on August 15, 2017 and issued by the General Office of the CPC Central Committee on August 15, 2017)
Article 1 In order to further strengthen cybersecurity work, clarify and implement the cybersecurity responsibilities of the leading bodies and leading cadres of the Party Committees (Party Groups), these measures are formulated in accordance with the relevant provisions of the “Regulations on Accountability of the Communist Party of China” and the “Working Rules of the Central Cybersecurity and Informatization Committee”.
Article 2 Cybersecurity work is related to national security, political power security and economic and social development. In accordance with the principle of who is in charge and who is responsible, and local management, Party committees (Party Groups) at all levels shall bear the main responsibility for the cybersecurity work of their regions and departments. The main person in charge of the leading body is the first person in charge, and the members of the leading body in charge of cybersecurity are the direct persons in charge.
Article 3 The main cybersecurity responsibilities of Party committees (Party groups) at all levels are:
(i) conscientiously implement the important instructions and decision-making arrangements of the Party Central Committee and General Secretary Xi Jinping on cybersecurity work, implement cybersecurity laws and regulations, and clarify the main goals, basic requirements, work tasks, and protection measures of cybersecurity in the region and department;
(ii) establish and implement a cybersecurity responsibility system, include cybersecurity work in the important agenda, clarify the work organization, and increase the support and guarantee of human, financial, and material resources;
(iii) uniformly organize and lead the cybersecurity protection and major incident handling work in the region and department, and study and solve important problems;
(iv) take effective measures to provide support and guarantee for public security organs and national security organs to safeguard national security, investigate crimes, and prevent and investigate terrorist activities in accordance with the law;
(v) organize and carry out regular cybersecurity publicity and education, adopt various methods to cultivate cybersecurity talents, and support the development of cybersecurity technology industry.
Article 4 The competent regulatory department of the industry shall be responsible for guiding and supervising the cybersecurity of the industry and field. If there is no competent regulatory department, the region where it is located shall be responsible for guiding and supervising.
The competent regulatory department shall conduct network security inspections and handle network security incidents in accordance with the law, and promptly report the situation to the network security and informatization leading bodies in the regions where the network and information systems are located. When the regions conduct network security inspections and handle network security incidents involving important industries, they shall be conducted in conjunction with the relevant competent regulatory departments.
Article 5 Network security and informatization leading bodies at all levels shall strengthen and standardize the collection, analysis and assessment of network security information in their regions and departments, require relevant units and institutions to report network security information in a timely manner, organize and guide network security notification agencies to carry out network security information notification, and coordinate network security inspections.
Article 6 Network security and informatization leading bodies in various regions and departments shall promptly report major network security matters to the Central Network Security and Informatization Committee, including the introduction of important policies and institutional measures involving network security.
Network security and informatization leading bodies in various regions and departments shall report the network security work situation to the Central Network Security and Informatization Committee every year.
Article 7 The Office of the Central Network Security and Informatization Committee shall, together with relevant departments, commend advanced network security collectives and commend and reward advanced network security workers in accordance with relevant national regulations.
Article 8 Party committees (party groups) at all levels that violate or fail to properly perform the duties listed in these measures shall be held accountable in accordance with relevant regulations.
In any of the following circumstances, the Party committees (Party groups) at all levels shall conduct a retrospective investigation and hold the parties, network security managers and even the main managers accountable. If coordination and supervision are ineffective, the heads of the comprehensive coordination or supervision departments shall also be held accountable.
(1) The portal websites of party and government agencies, key news websites, and large network platforms are attacked and tampered, resulting in the widespread spread of illegal and harmful information such as reactionary speeches or rumors, and no timely reporting and organization of disposal;
(2) The portal websites of party and government agencies at or above the prefecture level or key news websites are attacked but no timely organization of disposal is made, and they are paralyzed for more than 6 hours;
(3) There are leaks of state secrets, large-scale personal information leaks, or large amounts of national basic data such as geography, population, and resources leaks;
(4) Key information infrastructure is attacked by the network, and no timely disposal is made, resulting in large-scale impact on the work and life of the people, or causing major economic losses, or causing serious adverse social impacts;
(5) Blocking or concealing the situation of network security incidents, refusing to cooperate with relevant departments in conducting investigations and disposal work in accordance with the law, or failing to promptly rectify the problems and risks reported by relevant departments, resulting in serious consequences;
(6) Obstructing public security organs and national security organs from maintaining national security, investigating crimes, and preventing and investigating terrorist activities in accordance with the law, or refusing to provide support and guarantees;
(7) Other acts that seriously endanger network security occur.
Article 9 The implementation of accountability should be based on facts and distinguish between collective responsibility and individual responsibility. When collective responsibility is investigated, the main person in charge of the leadership team and the leadership team members in charge of network security shall bear the main leadership responsibility, and other members of the leadership team who participate in relevant work decision-making shall bear important leadership responsibility.
Accountability of leadership teams and leading cadres shall be implemented by party organizations with management authority in accordance with relevant regulations. The offices of the leading institutions for network security and informatization at all levels may make accountability suggestions to the party committees (party groups) and discipline inspection committees (discipline inspection groups) that implement accountability.
Article 10 Party committees (party groups) at all levels shall establish a network security responsibility system inspection and assessment system, improve and perfect the assessment mechanism, clarify the assessment content, methods and procedures, and send the assessment results to the cadre management department as an important part of the comprehensive assessment and evaluation of the leadership team and relevant leading cadres.
Article 11 Audit institutions at all levels shall include network security construction and performance in the audit scope of relevant departments and units.
Article 12 The network ideological work responsibility system shall be implemented in accordance with the “Implementation Rules of the Network Ideological Work Responsibility System of Party Committees (Party Groups)”. Confidential networks shall be implemented in accordance with relevant regulations.
Article 13 The Office of the Central Cyberspace Affairs Commission shall be responsible for interpreting these Measures.
Article 14 These Measures shall come into force on August 15, 2017.
《党委(党组)网络安全工作责任制实施办法》
(2017年8月15日中共中央批准 2017年8月15日中共中央办公厅发布)
第一条 为了进一步加强网络安全工作,明确和落实党委(党组)领导班子、领导干部网络安全责任,根据《中国共产党问责条例》、《中央网络安全和信息化委员会工作规则》等有关规定,制定本办法。
第二条 网络安全工作事关国家安全、政权安全和经济社会发展。按照谁主管谁负责、属地管理的原则,各级党委(党组)对本地区本部门网络安全工作负主体责任,领导班子主要负责人是第一责任人,主管网络安全的领导班子成员是直接责任人。
第三条 各级党委(党组)主要承担的网络安全责任是:
(一)认真贯彻落实党中央和习近平总书记关于网络安全工作的重要指示精神和决策部署,贯彻落实网络安全法律法规,明确本地区本部门网络安全的主要目标、基本要求、工作任务、保护措施;
(二)建立和落实网络安全责任制,把网络安全工作纳入重要议事日程,明确工作机构,加大人力、财力、物力的支持和保障力度;
(三)统一组织领导本地区本部门网络安全保护和重大事件处置工作,研究解决重要问题;
(四)采取有效措施,为公安机关、国家安全机关依法维护国家安全、侦查犯罪以及防范、调查恐怖活动提供支持和保障;
(五)组织开展经常性网络安全宣传教育,采取多种方式培养网络安全人才,支持网络安全技术产业发展。
第四条 行业主管监管部门对本行业本领域的网络安全负指导监管责任。没有主管监管部门的,由所在地区负指导监管责任。
主管监管部门应当依法开展网络安全检查、处置网络安全事件,并及时将情况通报网络和信息系统所在地区网络安全和信息化领导机构。各地区开展网络安全检查、处置网络安全事件时,涉及重要行业的,应当会同相关主管监管部门进行。
第五条 各级网络安全和信息化领导机构应当加强和规范本地区本部门网络安全信息汇集、分析和研判工作,要求有关单位和机构及时报告网络安全信息,组织指导网络安全通报机构开展网络安全信息通报,统筹协调开展网络安全检查。
第六条 各地区各部门网络安全和信息化领导机构应当向中央网络安全和信息化委员会及时报告网络安全重大事项,包括出台涉及网安全的重要政策和制度措施等。
各地区各部门网络安全和信息化领导机构每年向中央网络安全和信息化委员会报告网络安全工作情况。
第七条 中央网络安全和信息化委员会办公室会同有关部门按照国家有关规定对网络安全先进集体予以表彰,对网络安全先进工作者予以表彰奖励。
第八条 各级党委(党组)违反或者未能正确履行本办法所列职责,按照有关规定追究其相关责任。
有下列情形之一的,各级党委(党组)应当逐级倒查,追究当事人、网络安全负责人直至主要负责人责任。协调监管不力的,还应当追究综合协调或监管部门负责人责任。
(一)党政机关门户网站、重点新闻网站、大型网络平台被攻击篡改,导致反动言论或者谣言等违法有害信息大面积扩散,且没有及时报告和组织处置的;
(二)地市级以上党政机关门户网站或者重点新闻网站受到攻击后没有及时组织处置,且瘫痪6小时以上的;
(三)发生国家秘密泄露、大面积个人信息泄露或者大量地理、人口、资源等国家基础数据泄露的;
(四)关键信息基础设施遭受网络攻击,没有及时处置导致大面积影响人民群众工作、生活,或者造成重大经济损失,或者造成严重不良社会影响的;
(五)封锁、瞒报网络安全事件情况,拒不配合有关部门依法开展调查、处置工作,或者对有关部门通报的问题和风险隐患不及时整改并造成严重后果的;
(六)阻碍公安机关、国家安全机关依法维护国家安全、侦查犯罪以及防范、调查恐怖活动,或者拒不提供支持和保障的;
(七)发生其他严重危害网络安全行为的。
第九条 实施责任追究应当实事求是,分清集体责任和个人责任。追究集体责任时,领导班子主要负责人和主管网络安全的领导班子成员承担主要领导责任,参与相关工作决策的领导班子其他成员承担重要领导责任。
对领导班子、领导干部进行问责,应当由有管理权限的党组织依据有关规定实施。各级网络安全和信息化领导机构办公室可以向实施问责的党委(党组)、纪委(纪检组)提出问责建议。
第十条 各级党委(党组)应当建立网络安全责任制检查考核制度,完善健全考核机制,明确考核内容、方法、程序,考核结果送干部主管部门,作为对领导班子和有关领导干部综合考核评价的重要内容。
第十一条 各级审计机关在有关部门和单位的审计中,应当将网络安全建设和绩效纳入审计范围。
第十二条 网络意识形态工作责任制按照《党委(党组)网络意识形态工作责任制实施细则》执行。涉密网络按照有关规定执行。
第十三条 本办法由中央网络安全和信息化委员会办公室负责解释。
第十四条 本办法自2017年8月15日起施行。
