The Emergency Disposal of Jincheng Internet Network Security Emergency Plan

5. 1 Information reporting and processing

5. 1. 1 Information sources mainly include the following three categories:

(1) Forecast the information of Internet network security events monitored by the early warning system;

(2) Internet network security incident information notified by superior departments or other functional departments;

(three) to accept the information reported by the social and information security responsibility units.

5. 1.2 After the Internet network security incident, the incident unit, responsible unit and relevant working institutions shall immediately organize emergency rescue in accordance with the relevant emergency plan and reporting system, and at the same time, timely summarize the information and report to the superior competent department and the municipal network security office in a timely manner.

5. 1.3 When a general Internet network security incident occurs, the incident unit must report orally to the duty room of the municipal network security office (located in the municipal information center) within half an hour, and report in writing to the duty room of the municipal network security office (located in the municipal information center) within 1 hour; Major Internet network security incidents or special circumstances should be reported immediately.

5. 1.4 In case of major Internet network security incidents, the Municipal Network Security Office, relevant district and county governments and responsible units must report to the duty room of the municipal party committee and municipal government orally within 1 hour after receiving the report, and report to the duty room of the municipal party committee and municipal government in writing within 2 hours; Immediately report any particularly serious Internet network security incidents or special circumstances.

5. 1.5 Information processing can be carried out according to the following procedures:

(1) Record and understand. After receiving the alarm of Internet network security incident, we should first record the data trace and detailed information of the incident in detail, understand the loss, impact and on-site control caused by the incident, and understand the relevant information of the incident as comprehensively as possible.

(2) Event confirmation and judgment. On the basis of summarizing relevant information, judge the nature of the incident in time, and carry out the next step according to the judgment result.

(1) For network security incidents belonging to the Internet, further event verification should be made with reference to the database, and the network security incidents belonging to the Internet should be confirmed and entered into the event analysis process.

(2) In case of false alarm, the personnel on duty shall record and handle the incident.

(3) for events unrelated to Internet network security, the personnel on duty should also make records and hand them over to the relevant departments for handling.

(3) Event analysis. After the event is confirmed, according to the available information, analyze the losses and expected losses caused by the event, the severity and scope of the event, etc.

(4) Prepare to start the emergency handling procedure. According to the results of the incident analysis, the Municipal Network Security Office determines the incident level according to the Internet network security incident level judgment standard, and prepares to start the corresponding emergency plan handling procedures.

5.2 Emergency response

5.2. 1 response level

According to the controllability, severity and influence scope of Internet network security incidents, emergency response levels are divided into four levels, I, II, III and IV, which are used to deal with particularly serious, major, major and general Internet network security incidents respectively.

Hierarchical response

(1) Level I and II emergency response. When a major or especially major information security incident occurs, the Municipal Cyber Security Office shall immediately report to the municipal government or the municipal government shall determine the level and scope of emergency response, start the corresponding emergency plan, set up the municipal emergency response headquarters when necessary, and uniformly command and coordinate the relevant units and departments to implement emergency response.

(2)ⅲ and ⅳ reactions. For general and large information security incidents, the Municipal Network Security Office organizes and coordinates the functional departments and units responsible for handling Internet network security incidents and the county government where the incident occurred, dispatches the required emergency resources, and assists the incident unit to carry out emergency handling.

Response program

(1) emergency resource allocation

① Coordination of emergency personnel. According to the specific Internet network security incidents, the Municipal Network Security Office is responsible for organizing and coordinating various emergency technicians such as information security experts, network experts and information system experts.

② Relevant authorities. The municipal network security office is responsible for clarifying and coordinating the authority required by the disposal institution or personnel in the emergency response process.

③ Other necessary resources. According to the information in the emergency database, the Municipal Network Security Office obtains the network and communication resources, computer equipment, network equipment, network security equipment and software, case handling, solutions and other resources needed to deal with the incident. To provide reference for the handling team.

(2) Formulation and inspection of disposal plan. The disposal team shall formulate a specific disposal plan and submit it to the relevant working institutions, event units and relevant functional departments of the Municipal Network Security Office for inspection, and the inspection results shall be reported to the municipal emergency disposal headquarters.

(3) Disposal decision and resource scheduling. The municipal emergency disposal headquarters shall evaluate the inspection results reported by the municipal network security office. After approval, the contact group and relevant departments will coordinate and implement the required resources according to the requirements of the disposal plan.

(4) Implement disposal. According to the instructions issued by the headquarters, the disposal team establishes an operation mechanism according to its responsibilities and operational authority to carry out emergency disposal of Internet network security incidents.

5.3 Pretreatment

5.3. 1 After the Internet network security incident occurs, the incident unit must immediately deal with it, and start the relevant emergency plan handling procedures according to its responsibilities and prescribed authority, control the development of the situation, and report to the Municipal Network Security Office, the Municipal Emergency Center or the county government where the incident occurred in time.

5.3.2 After receiving the incident information, the Municipal Network Security Office shall keep abreast of the development of the incident, evaluate the impact and possible scope of the incident, judge the development trend of the incident, and organize professional working institutions to participate in the early emergency response of Internet network security incidents within their respective responsibilities as required.

5.3.3 The Municipal Network Security Office shall, jointly with the Municipal Emergency Center, organize the county governments in the incident area and relevant linkage units to jointly handle large and general Internet network security incidents, and be responsible for organizing and implementing the pre-disposal of particularly serious or major Internet network security incidents.

5.4 Emergency Command and Coordination

5.4. 1 When an internet network security incident that cannot be controlled in advance occurs, the Municipal Network Security Office shall timely judge the level of the incident and report it to the municipal government. When necessary, the emergency headquarters will be established, with a liaison group and a disposal group.

5.4.2 The on-site headquarters is established by the county government and the municipal network security office as the case may be, and is responsible for the command and coordination of on-site emergency response under the unified command of the municipal emergency headquarters. The on-site headquarters is composed of the municipal network security office, the competent departments and responsible units where Internet security incidents occur, and information security experts are organized to participate according to the disposal needs.

5.5 the end of the state of emergency

5.5. 1 For major and particularly major Internet network security incidents, after the emergency response work is completed or related risk factors are eliminated, the municipal government decides to terminate the implementation of emergency measures and turn to normal management according to the suggestion of the municipal emergency response headquarters.

5.5.2 For general and large Internet network security incidents, the standard of emergency termination is that the information system and business return to normal, and other incidents derived from this incident have disappeared and security risks have been eliminated. City Network Security Office announced the end of emergency and transferred to normal management.