Emergency measures are as follows:
1, emergency measures for illegal speech events on websites and webpages.
(1) The information officer of the host department is responsible for closely monitoring the information content of websites and webpages at any time.
(2) When there is information on the Internet that violates national laws and regulations, infringes intellectual property rights, opposes the government, splits the country and pornographic content, and rumors that damage the reputation of the country and the school, the information officer shall immediately inform the person in charge of information security of the unit; In case of emergency, measures such as deletion should be taken in time, and then reported according to procedures.
(3) After receiving the notice, the person in charge of information security should make necessary records, instruct the information officer to clean up illegal information, properly keep relevant records, and resume the use of website pages.
(4) Tracing illegal information sources and reporting relevant information to the leading group of school informatization.
(5) declare to the district audio-visual education center for support, help and guidance.
(6) If the situation is serious, report the case to the public security department in time.
2, attack emergency measures
(1) Back up the correct website files to ensure that the website can be restored in time.
(2) When the information officer found that the website was attacked and the homepage content was maliciously tampered with, he immediately stopped the homepage service and restored the correct content. Check and analyze the reasons for the change, and don't reopen the homepage service until the reasons for the change are found and eliminated; At the same time notify the person in charge of information security.
(3) In the case of serious attacks (such as destroying files on the server), it is more troublesome to repair website files; In order to make the website visit normally as soon as possible, use the backup file of the website or temporarily find another server to replace it. If these preparations are made in advance, they can usually be repaired within one or two hours after the attack is discovered.
(4) Restore and rebuild the attacked or destroyed websites.
(5) Analyze the site and write an analysis report for archiving.
(6) Report to the district audio-visual education center for support, help and guidance.
(7) The leading group of school informatization holds a group meeting, and if it thinks that the situation is serious, it shall immediately report to the public security department.
To do a good job in the information security management of campus websites, the core work is to back up the websites regularly and save the backup files for emergencies.
Chapter II: Emergency Plan for Information Security
In order to do a good job in the prevention and emergency handling of campus network emergencies, further improve our ability and level of preventing and controlling network emergencies, reduce or eliminate the harm and influence of emergencies, ensure the security of campus network and information, properly handle emergencies that endanger network and information security, and minimize the influence of emergencies and the spread of harmful information. Combined with the actual work of the school, this plan is formulated.
Chapter I General Provisions
Article 1 The emergency mentioned in this plan refers to the disasters that endanger the network facilities and information security of the school campus network caused by natural factors or human activities.
Article 2 The guiding ideology of this plan is Basic Requirements for Computer Network and Information Security of Hubei Normal University.
Article 3 This plan is applicable to all personal and office computers of Hubei Normal University, as well as the computer and network software and hardware of various research institutes, laboratories (centers), teaching rooms, multimedia classrooms and electronic reading rooms, as well as the emergency response of the contents of the school portal website and the websites of subordinate departments.
Article 4 Principles of emergency response: unified leadership, unified command, respective responsibilities, overall operation, giving full play to advantages and ensuring safety.
Chapter II Organization, Command, Duties and Tasks
Article 5 A school shall set up an emergency working group on network and information security. The main responsibility and task of the working group is to lead the disaster emergency response work of the school information network in a unified way. Under the command of school leaders, be fully responsible for all kinds of emergencies that may occur in the school information network, and coordinate and solve major problems in disaster response.
Article 6 Modern Information Technology Center (hereinafter referred to as "Information Center") is responsible for the specific handling of daily information network security incidents, in which the information center is the information network security incident handling control center, which is responsible for the security incident handling at the server side and the network level, and provides technical guidance for all departments and hospitals (departments) to do a good job in the security handling of departmental office computers and personal computers.
Chapter III Disposal Measures and Procedures
Article 7 Disposal measures
The basic measures of disposal are divided into pre-disaster and post-disaster situations.
(1) Before the disaster, the information center shall, in accordance with the requirements of post responsibilities, and the personnel of the technical center shall earnestly strengthen the inspection and maintenance of daily information network security, regularly upgrade system patches and antivirus software, check the operation of firewalls and IDS (Intrusion Detection System), and eliminate hidden dangers in time;
All units of the school earnestly implement the responsibilities of website management and safety responsibility system of the department, especially the departments that set up interactive column websites such as online forums, message boards, chat rooms, communities, etc., to implement the systems of information release review, information inspection, moderator responsibility, etc., and to be equipped with preventive measures and special personnel management;
Strengthen the popularization of information network security common sense, so that teachers and staff can master information network security common sense and have certain basic knowledge of preventing and handling emergencies.
Establish and improve the system of quick reporting of disasters to ensure the smooth reporting channels of emergency information of sudden disasters. If it is a major disaster, it should also be reported to the network supervision department of Huangshi Public Security Bureau while reporting to the work leading group.
(two) after the disaster, immediately start the emergency plan, take emergency disposal procedures, determine the level of the disaster, and immediately report the disaster to the working group, in the process of disposal, should promptly report the progress of the disposal work until the end of the disposal work.
Article 8 Disposal procedures
(1) Understand the situation
Modern information technology center should strictly implement the duty system, do a good job in the daily patrol and log preservation of campus network information system security, and ensure that disasters are discovered first and such emergencies are handled in time.
(2) The plan is started
Once a disaster occurs, start the emergency plan immediately and enter the disposal procedure of the emergency plan.
(3) Emergency treatment methods
When a disaster occurs, it is necessary to distinguish between natural disasters and man-made disasters. According to these two situations, the emergency treatment methods are divided into two processes.
Process 1: When the disaster is a natural disaster, we must first ensure the data security, and then ensure the equipment security according to the actual situation at that time and on the premise of ensuring personal safety. Specific methods include: hard disk pull-out and storage, power failure, equipment disassembly and relocation, etc.
Process 2: When a disaster caused by man-made or virus occurs, it shall be carried out in the following order: determine the source and nature of the damage, disconnect the information network equipment that affects security and stability, disconnect the network physical connection with the source of the damage, track and lock the IP or other network user information of the source of the damage, repair the damaged information, and restore the information system. According to the nature of the disaster, the following schemes are adopted respectively:
1. virus spread: In view of this phenomenon, it is necessary to disconnect the spread source in time, judge the nature of the virus and the port used, then close the corresponding port, and publish the virus attack information and defense methods on the Internet.
2. Intrusion: For network intrusion, we must first judge the source of the intrusion and distinguish between the external network and the internal network. If the intrusion comes from an external network, locate the IP address of the intrusion, close the port of the intrusion in time, and restrict access to the IP address of the intrusion. If you can't stop it, you can use the method of disconnecting the network. If the intrusion comes from the intranet, find out the source of the intrusion, such as IP address, online account and other information, and disconnect the corresponding switch port at the same time. Then the intrusion detection equipment is built or updated according to the intrusion method.
3. The information has been tampered with: In this case, it is required to disconnect the corresponding information from the Internet once it is found, and restore it as soon as possible.
4. Network failure: Once found, it can be eliminated as soon as possible according to the corresponding workflow.
5. Other disasters caused by unlisted uncertainties can be handled according to general safety principles and specific conditions. If you can't handle it, you can consult relevant professionals.
(4) Report on the situation
When a disaster occurs, on the one hand, it should be handled according to the emergency disposal method, and at the same time, the level of the disaster should be determined. First, it should be reported to the school network and information security emergency response working group. When a major disaster occurs, you can also report to the network supervision department of the Municipal Public Security Bureau. Small and medium-sized disasters can only be reported to the school network and information security emergency handling working group, and timely report the progress of the disposal work until the end of the disposal work. The contents of the situation report include: the time and place of the disaster, the level of the disaster, the consequences of the disaster, the process and results of emergency treatment, the end time of the disaster, and suggestions and programs on how to prevent similar disasters from happening in the future.
(5) issue an early warning.
When a disaster occurs, early warning can be issued appropriately according to the harm degree of the disaster, especially some disasters that have appeared in other places or have been published on safety-related websites but have not appeared in the school information network. In addition to technical precautions, we should also issue an early warning to network information users until the disaster warning is lifted.
(6) termination of the plan
After the expert group determines that the disaster danger or disaster situation has been eliminated or effectively controlled, the school network and information security emergency handling working group will announce the end of the emergency period of danger or disaster situation, make an announcement and terminate the plan at the same time.
Chapter IV Safeguard Measures
Disaster emergency prevention and control is a long-term, continuous, follow-up, deep-seated and interrelated work at all stages. It is an organized scientific and social behavior, and emergency support must be done well.
Article 9 Protection of personnel
Pay attention to the construction and guarantee of personnel, and ensure that someone is on duty before, during and after the disaster.
Article 10 Technical Support
Pay attention to the construction and upgrading of network information technology, ensure the strength and security of network information systems before disasters occur, and provide relevant technical support during disaster disposal and post-disaster reconstruction.
Article 11 Material guarantee
Establish an emergency material reserve system to ensure that the technical equipment of the rescue and relief team is updated in time to ensure the smooth progress of disaster emergency work.
Article 12 Training and Exercises
Strengthen the publicity and popularization of the knowledge of disaster prevention and mitigation of network information users in the whole school, and enhance their awareness of disaster prevention and their ability of self-help and mutual rescue. Carry out targeted rescue drills to ensure timely and effective emergency rescue measures after the disaster.
Chapter V Supplementary Provisions
Thirteenth this plan by the modern information technology center is responsible for the interpretation of.
Fourteenth this plan shall come into force as of the date of promulgation.
Chapter III: Information Security Emergency Plan
When a security incident or accident occurs in the computer network of the unit, take emergency plans to ensure the safety of the computer network.
First, the establishment of computer network security emergency working group.
Team leader:
Deputy team leader:
Members:
The computer network security emergency team timely and quickly coordinates and handles various incidents or accidents. Arrange special personnel to be on duty 24 hours a day in special periods.
Two. Countermeasures and measures of computer network security accidents
Computer network security event reporting program
When staff and managers find or know that computer network security incidents have occurred, they should immediately notify the station computer network security emergency team, which will inform the company computer network security emergency team, and at the same time quickly shut down the problem equipment, and the technicians of the company emergency team will analyze the reasons and solve the problems.
Third, technical measures.
1, spam filter
According to the requirements of the Ministry of Public Security, the Ministry of Information Industry and the the State Council Press Office, a spam filter was purchased and installed to prevent and control the attack and destruction of spam. All indicators of the equipment meet or exceed the standards set by the above-mentioned leading departments.
2. Log server
Collect and manage the daily operation logs of network and server equipment in a unified way to prevent criminals from invading a specific device, and edit the log records at the same time, thus affecting the understanding and solution of the problem.
3. Intrusion detection server
The purchase of intrusion detection facilities can respond according to the traffic situation of each specific real IP address in the network, especially the abnormal traffic situation. (except IP address blocked by firewall)
4. Data backup system
The server equipment data with important data can be backed up, so that when the corresponding server equipment has problems, it can be repaired in time to ensure the safety of important data.
This webpage is tamper-proof.
Browse and check the contents of the company's website by combining manual and technical processing to prevent the webpage from being tampered with.
Fourth, daily management.
1. Update the antivirus software virus database of the server in time.
2. Scan and patch all servers regularly.
3. Strictly control the soft port opened by the uplink switch on the network segment of the hub server.
4, the implementation of hierarchical management system, the implementation of management responsibilities.
Chapter IV: Information Security Emergency Plan
First, the guiding ideology:
With the rapid development of Internet and related information and communication services, information dissemination presents a trend of diversification of channels, network influence and rapid diffusion. The connotation and extension of network information security has gone far beyond the original traditional concept, involving national politics, economy, culture and other aspects, and has become a major issue related to national security and social stability, and has been listed as the top priority of business work from the central government to the local government. Combined with the park's own situation, strengthen supervision and management, and formulate this plan.
Second, the institutional setup:
Leading group for emergency work to prevent network information security emergencies:
Team leader:
Deputy team leader:
Members: Class teachers.
Three. Responsibilities of the leading group:
1, strengthen organization and management control:
The kindergarten has set up a leading group for network security management with the director as the leader. Through the establishment of organizations, strengthen awareness, clarify responsibilities, strengthen control, and ensure the implementation of network security management.
2, strengthen business training, improve the level of prevention:
Actively carry out relevant training, improve the network management level of network administrators, regularly carry out publicity and education on network security and civilized internet access for teachers, improve all teachers' awareness of legal system, responsibility, politics, self-discipline and network security, form a good atmosphere for teachers and students to jointly resist harmful information on the network, ensure the safe operation of kindergarten network system and better serve education and science.
To strengthen the construction of network security, network administrators should strengthen inspections, discover the security loopholes of the network itself in time, ensure the timely and effective update of software firewalls and antivirus software, improve the ability of network system to defend against attacks, and try to avoid attacks such as networks and viruses.
3, the implementation of censorship, to ensure that the news is true and healthy:
A special person is responsible for the implementation of the communication report in the park, and it can only be released or disseminated after approval. Without the consent of the director, the publisher shall bear legal responsibility for making remarks that are detrimental to the kindergarten and social image, and shall be held accountable according to relevant regulations. At the same time, the authority management is strictly set up on the news release system, and only those who have passed the certification of the security management team can publish legal news on the network.
Fourth, strengthen safety management and respond quickly and effectively:
1, filter illegal websites, back up important files regularly, and combine network backup with CD burning backup.
2. The network administrator insists on conducting security check at least once a day to keep abreast of the network operation and ensure the safety, stability and reliability of the campus network.
3. Once you find any violation of the kindergarten network security management system, stop using the campus network immediately.
4. The network security management leading group should organize relevant personnel to investigate and deal with violations at the first time, and severely deal with violators according to relevant laws, regulations and garden rules.
5. Delete harmful information immediately.
Chapter V: Emergency Plan for Information Security
In order to ensure the normal use of the network, give full play to the role of the network in the information age, promote the healthy development of educational informatization, properly handle emergencies that endanger the network and information security, and minimize the impact of emergencies and the spread of harmful information, this plan is formulated in accordance with the State Council's Measures for the Administration of Internet Information Services and related regulations.
The first is the emergency response to emergencies that endanger network and information security.
1. If viruses, Trojans and intrusions are found in the LAN.
The network management center shall immediately cut off the connection between the local area network and the external network. If necessary, disconnect the computer in the office to prevent external and cross connections.
2. If there is an emergency in the campus network or on a server with an external IP address, the school should immediately cut off the connection with the external network and disconnect all nodes in the school if necessary; If there is an emergency in renting off-campus space, contact the lessor immediately and close the rented space.
3. If harmful information or data is found to have been tampered with on servers accessible from the outside (such as websites and emails), the network connection of the server should be cut off immediately, so that the outside cannot access it. Prevent the spread of harmful information.
4, take corresponding measures to completely remove. If harmful information is found, delete it in time after retaining relevant records, and report it to the Municipal Education Bureau and the public security department (if the circumstances are serious).
5. The use of the network (website) can only be resumed after the security problem is solved.
Second, safeguard measures
1, strengthen leadership, improve institutions, and implement the responsibility system for network and information security. Set up a leading group for network and information security management, and set up a security administrator. Clear job responsibilities and implement the safety responsibility system; BBS, chat rooms and other interactive columns should have preventive measures and be managed by special personnel.
2. The local area network is managed and maintained by the network management center. Others are not allowed to dismantle and repair the equipment and connect the terminal equipment without authorization.
3. Strengthen safety education, enhance safety awareness, and establish the concept that everyone is responsible for network and information security. Weak security awareness is the main cause of network security accidents. Schools should strengthen network security education for teachers and students, enhance network security awareness, and link network security awareness with political awareness, responsibility awareness and confidentiality awareness. In particular, we should guide students to improve their ability to identify harmful information and guide them to use the Internet healthily.
4. Don't turn off or cancel the firewall. Keep the firewall system management password. Install anti-virus software on each computer and update the virus code in time.
Chapter VI: Information Security Emergency Plan
Information security emergency plan
Emergency Plan for Information Security (I): Emergency Plan for Network Information Security
In order to minimize losses and ensure that all emergency work can be carried out efficiently and orderly when network security problems occur, this plan is formulated according to the Measures for the Administration of Internet Information Services and the spirit of the documents of the higher authorities, combined with the actual operation and application characteristics of our campus network.
Working principle: clear responsibilities, unified management and quick handling.
A, all levels of treatment plan
1, website bad information accident handling plan
(1) Once the campus website appears bad information (or the webpage is modified by attack), close the website immediately.
(2) Back up the directory where the bad information appears, the time when the bad information appears, and the HTTP connection log of the previous week for investigation.
(3) Keep the bad information page.
(4) Isolate the directory containing bad information so that it can no longer be accessed.
(5) Delete the bad information, check all the information of the whole network to ensure that there is no other bad information, reopen the website service and test the website operation.
(6) Check the HTTP log and the firewall network connection log comprehensively to determine the source IP address of the bad information. If it comes from a school, immediately escalate the incident to the highest emergency and report it to the leader of the leading group immediately.
2, network malicious attack accident treatment scheme
(1) When a malicious network attack is found, immediately judge whether the attack comes from inside or outside the school; What are the attacked devices? How big is the scope of influence. And quickly infer the worst result of this attack, and decide whether it is necessary to cut off the network connection between the campus network server and the public network urgently to protect important data and information.
(2) If the attack comes from outside the school, immediately find out the IP address of the other party from the firewall and filter it. At the same time, filters are set for such attacks, and whether to call the police is decided according to the severity of the situation.
(3) If the attack comes from the school, immediately determine the source of the attack, disconnect the corresponding computer network connection and temporarily detain the computer, and immediately analyze and deal with the computer to determine the cause of the attack.
(4) Restart the network equipment connected to the computer until the network communication is fully restored.
(5) Analyze the computer, remove all viruses, malicious programs, Trojan horses and junk files, test and run the computer for more than 5 hours, and monitor it at the same time. If there is no problem, return to the computer.
Second, the establishment of a safety emergency leading group
All campus administrators and network administrators form a network security emergency leading group. The main responsibilities of the leading group:
1, strengthen leadership, improve organization, strengthen post responsibilities, improve the formulation of various emergency plans and the implementation of various measures.
2. Make full use of various channels to publicize and educate network security knowledge, organize and guide the popularization of network security knowledge in the whole school, and constantly improve the awareness and basic skills of teachers and students.
3. Take all necessary measures to organize all forces to comprehensively deal with network security accidents and minimize adverse effects and losses.
Third, the aftermath of network information security accidents
1, members of the emergency team quickly restore the normal operation of the network according to the emergency plan, and strengthen the network monitoring and protection measures in a targeted manner.
(1) After the accident is handled, gradually restore the network operation and monitor whether the accident source still exists.
(2) after the incident, quickly find out the cause of the incident, find out the responsible person, and report it to the leading group for handling according to the responsibility.
(3) In view of this accident, further determine relevant safety measures, sum up experience and strengthen prevention.
2. Do a good job in ideological publicity and education for teachers and students, quickly restore normal order, and fully safeguard the security and stability of campus networks.
Fourth, others.
In emergency action, all departments on campus should cooperate closely and obey the command of the leading group to ensure the smooth implementation of government decrees and measures.
Emergency Plan for Information Security (II): Emergency Plan for Campus Network Security
In order to deal with information security incidents on campus network in time and ensure the normal operation of campus network, this plan is specially formulated.
First, the definition of campus network security incidents
1. The homepage of the website in the campus network is maliciously edited, and information such as anti-government, secession, obscenity and pornography, as well as rumors that damage the reputation of the country and the campus are published in the interactive column.
2. The campus network is illegally invaded, and the data on the application server is illegally copied, modified and deleted.
3. The information published on the website violates national laws and regulations, infringes on intellectual property rights and causes serious consequences.
Second, the network security incident emergency handling institutions and responsibilities
1. Set up an information network security incident emergency team to be responsible for the organization, command and emergency response of information network security incidents. The team leader is the main person in charge of the campus, and the members are composed of leaders in charge, network centers and other responsible persons. To undertake related work such as organization and coordination, investigation and evidence collection, emergency response and external information release.
2. Leading bodies
Head of Campus and Head of Network Security Management Center: Wang Huidong.
Director and Deputy Director of Network Security Management Center: Yuan
Members of Network Security Management Center:, Chen, Qin Feng, Yu Xiaobo.
Iii. Reporting and handling of network security incidents
After the incident occurs and is confirmed, the personnel of the network center or relevant departments should immediately report the situation to the relevant leaders, and the leaders (team leaders) will decide whether to start the plan. Once the plan is started, relevant personnel should be in place in time. The network center shall write a written report within 24 hours after the incident. The report shall include the following information: time, place, unit, incident data, computer IP address, administrator, operating system, application service, loss, nature and cause of the incident, incident handling and measures taken; Accident reporter, reporting time, etc. Network center personnel enter the state of emergency treatment, block network connection, conduct on-site protection, assist in investigation and evidence collection, and restore the system. Track related events, pay close attention to the event dynamics, and assist in investigation and evidence collection. Relevant illegal incidents are handed over to the public security organs for handling.