Yantai Tengda Network Security Emergency Plan


Release time:

2023-06-06

Improve the ability to deal with emergencies, promote Internet emergency communication, command, dispatch, and processing work to be carried out quickly, efficiently, and in an orderly manner, meet the needs of Internet communication support emergency and communication recovery work in emergencies, safeguard the interests of enterprises, and ensure The smooth progress of production creates a safe, stable and reliable network environment.

Network Security Emergency Plan

Purpose of (I) preparation

Improve the ability to deal with emergencies, promote Internet emergency communication, command, dispatch, and processing work to be carried out quickly, efficiently, and in an orderly manner, meet the needs of Internet communication support emergency and communication recovery work in emergencies, safeguard the interests of enterprises, and ensure The smooth progress of production creates a safe, stable and reliable network environment.

(II) Preparation Basis

"the People's Republic of China telecommunications regulations", "national communications security emergency plan", "the People's Republic of China computer information system security protection regulations", "computer virus prevention and control management measures", "non business Internet information service filing management measures", "Internet ip address resource filing management measures" and "China Internet domain name management measures" and other relevant laws and regulations.

An information network security incident emergency command team shall be established to be responsible for the organization and command of information network security incidents and emergency response. The commander-in-chief is the main leader, the deputy commander-in-chief is the leader in charge, and the members of the headquarters are run by the information center.

Analysis of (I) hazard sources and classification of early warning levels

1.1 hazard source analysis

According to the occurrence process, nature and mechanism of network and information security public emergencies, network and information security public emergencies are mainly divided into the following three categories:

1) Natural disasters. Refers to the damage of network and information system caused by earthquake, typhoon, lightning, fire, flood, etc.

(2) Accident disaster. Refers to the power interruption, network damage or software, hardware equipment failure caused by the network and information system damage.

(3) Man-made destruction. Refers to the man-made destruction of network lines, communication facilities, network elite attacks, virus attacks, terrorist attacks caused by the damage of the network and information systems.

Classification of 2.2 warning levels

1. Classification of warning levels

According to the results of prediction and analysis, the early warning is divided into four grades: grade Ⅰ (particularly serious), grade Ⅱ (serious), grade Ⅲ (heavy) and grade Ⅳ (general).

Level I (particularly serious): caused by a particularly serious public emergency, it may cause the entire enterprise Internet communication failure or large-area backbone network interruption, communication hub equipment damage or accidental damage, etc., and the need for communication security emergency preparedness Major situations; communication network failure may be upgraded to cause the entire enterprise Internet communication failure or large-area backbone network interruption. The computer room finds fire or other major natural disasters or there are major natural disasters.

Level II (serious): caused by major public emergencies, which may cause the interruption of enterprise network communication and the need for communication security emergency preparedness.

Level IV (general): caused by a general public emergency, which may cause a communication failure (does not affect normal general communication) of the local network to which a switching point in the local area network belongs.

(II) prevention mechanism

The information network security accident emergency command team shall strengthen the supervision and inspection of the communication security institutions at all levels and the whole network communication network security protection and emergency disposal work, so as to ensure the safety and smooth flow of the communication network.

(III) early warning monitoring

The important responsible persons and departments in charge of all important information systems should further improve the system of monitoring, forecasting and early warning of public emergencies of network and information security. To implement the responsibility, the development of information communication work system. In accordance with the principle of "early detection, early reporting, and early disposal", strengthen the collection, analysis, judgment, and continuous monitoring of various network and information security public emergencies and related information that may trigger network and information security public emergencies.

(IV) prior disposal

When a public emergency of network and information security occurs, the personnel who find the accident shall report to the relevant system administrator in accordance with the regulations, and report to the relevant leaders of the information network security accident emergency command team in a timely manner. After taking over the accident report, the responsible personnel shall report the emergency work process and accident analysis report to the information network security accident emergency command team. The content of the report mainly includes the source of information, the scope of influence, the nature of the incident, the development trend of the incident and the measures taken.

(I) emergency treatment classification and emergency treatment procedures

When an emergency occurs, emergency communication support work and communication recovery work shall be handled separately according to the early warning level of response in accordance with the principles of speed, mobility and flexibility.

Level I: The emergency command team for information network security incidents is responsible for organizing and coordinating situations such as enterprise-wide communication failures or large-scale backbone network interruptions, communication hub equipment damage, etc., and communication support tasks assigned by the enterprise. The responsible personnel shall quickly and accurately locate the source of the fault. If it is a core equipment fault, it shall be switched to the standby core equipment in time and tested and adjusted. If it is a physical link failure of the backbone network, the relevant departments (communication company) shall be notified at one time to carry out emergency repair and switch to the standby line to test and adjust. In the face of network elite attacks or malicious destruction and other man-made network failures, it is necessary to notify the public security organs in a timely manner, and at the same time take emergency actions such as cutting off the data source to control the loss in a small range. For major natural disaster hazards discovered, it is necessary to promptly report the information network security accident emergency command team and promptly notify the fire department and other relevant departments, and prepare the tools needed to temporarily deal with the disaster. Fire is a common disaster, and the following steps shall be followed after fire is found:

(1) If a fire is found, the power supply shall be cut off immediately, and the attendant shall apply fire fighting equipment for treatment in time.

(2) Immediately report to the leader to make accident handling records.

(3) If the fire cannot be controlled by cutting off the power supply and using the fire extinguisher in the machine room to extinguish the fire, the fire shall be reported to the police in time (alarm telephone number: 119). When calling the police, the location and condition of the fire shall be accurately stated, and the contact telephone number shall be left.

(4) In case of emergency, various means shall be used to escape in time.

Level II: When the network communication of several subordinate branches of the enterprise is interrupted or the communication guarantee task issued by the relevant departments of the enterprise is received due to the emergency, the emergency command group of information network security accident is responsible for organization and coordination. Responsible personnel should quickly and accurately locate the source of the fault, if it is a key part of the network equipment failure, timely switch to the standby equipment and test the adjustment; If it is a physical link failure of the backbone network, the relevant department (communication company) should be notified at one time to carry out emergency repair and switch to the standby line to test the adjustment. If the business system fails, the following measures shall be adopted:

2. Trend Antivirus Server:

1. When the following situations occur in the trend antivirus server, the attendant shall be responsible for restarting the trend antivirus server

(1) Double-click the ie installation page and "this page cannot be displayed" appears.

(2) A large number of users report that the client cannot connect to the server.

2. If the system still cannot be applied normally after restarting the server, the system administrator shall be notified immediately and the failure phenomenon and processing process shall be recorded in time.

3. When the system administrator has not eliminated the fault after one hour of processing, he shall notify the section chief to coordinate the processing.

End of (II) emergency support mission

The accident site can be controlled, and the network environment meets the relevant standards. After the hidden dangers of secondary and derivative accidents are eliminated, it can be confirmed that the network communication guarantee and communication recovery emergency work tasks are completed. By the information network security accident emergency command group issued a notice to cancel the task, the scene emergency command organization received the notice, the task officially ended.

(III) investigation, handling, consequence assessment, supervision and inspection

The information network security accident emergency command team is responsible for investigating, analyzing and handling the causes of major communication accidents, evaluating the consequences of the accidents, and supervising and inspecting the handling of accident responsibilities.

(IV) information release

The information network security incident emergency command team is responsible for the release of relevant information.

(V) Communications

In the process of emergency response, it is necessary to ensure smooth communication between the internal institutions of the emergency response system. The main means of communication are fixed telephone, mobile telephone and satellite telephone.

Post -5. Disposal

(I) situation report and experience summary

In the process of emergency response, the information network security accident emergency command team shall do a good job in the statistics, summary, cause analysis, emergency response summary, etc. of the loss of network facilities in emergencies, and report according to the procedures. If there is a need for maintenance and repair of equipment to deal with in a timely manner.

(II) reward and punishment evaluation and commendation

In order to improve the efficiency and enthusiasm of communication support emergency work, units and individuals that have performed outstandingly in the process of responding to emergencies should be notified and praised; units and individuals that are ineffective in support and cause losses to enterprises should be dealt with in accordance with relevant regulations.

6. safeguard measures

(I) material support

The information network security accident emergency command team should establish the necessary communication support emergency resources guarantee mechanism, according to the communication support emergency work requirements, equipped with the necessary communication support emergency equipment, strengthen the management, maintenance and maintenance of emergency resources and equipment, in case of emergency call at any time.

(II) personnel security

The communication support emergency team is mainly composed of relevant personnel of the information center. The personnel of the information network security accident emergency command team shall continuously improve their professional level and obey the command of the team leader.

(III) awareness, training and exercises

The information network security accident emergency command team should strengthen the work of the communication network security and communication guarantee emergency publicity company, regularly or irregularly conduct technical training and emergency drills for the main technical personnel of the information network security accident emergency command team, ensure the effective implementation of the emergency plan, and constantly improve the ability of communication support emergency.

(V) communication support emergency work supervision and inspection system

The emergency command group of information network security accident should strengthen the supervision and inspection of the emergency work of communication security, so as to be prepared for danger in times of safety.

3. Funding guarantee

The information network security accident emergency command team shall, in accordance with the needs of communication emergency support, submit a project expenditure budget application and report it to the enterprise for approval before implementation.

1. information center is equipped with norton enterprise network firewall software and anti-virus software, timely upgrade, timely removal of killing network viruses, in the event of hacker intrusion, the deployment of intrusion detection system (ids), will send an alert to the administrator, the administrator will be the first time to deal with hacker intrusion, and reported to the relevant departments.

2. use anti-virus software to filter e-mails and downloaded files from the Internet to ensure that they are not invaded by Trojan horse hackers and inadvertently assist in spreading the virus. In the event of a similar network worm storm such as shock wave and shock wave, the administrator will upgrade the virus firewall and pudding the system in the first place to prevent the malicious damage of the virus.

The 3. information center regularly backs up the important information of the server to improve the emergency response capability of information storage security. In the event of a serious hacker, virus intrusion, resulting in the network can not run normally, the administrator will be the first time to restore the server backup, to ensure the normal operation of the network.

The 4. administrator shall regularly check the operation of the equipment and make maintenance records to ensure the efficient and stable operation of the equipment. Once the server hardware equipment failure, the administrator will enable the backup server in the first time to ensure the normal operation of the network, and the original server for timely maintenance, after the repair will replace the backup server to continue to run, to ensure the normal operation of the network. Once other network equipment fails, the administrator will replace the faulty equipment with spare parts at the first time to ensure the normal operation of the network.

5. regularly upgrade operating system patches, equipped with Dun Enterprise Edition network firewall software and anti-virus software, timely upgrade, timely removal and killing of network viruses, to prevent malicious intrusion by others. Use anti-virus software to filter e-mails and downloaded files from the network, and do not run suspicious programs to ensure that they are not invaded by Trojan horse hackers and assist in spreading the virus unintentionally.

The 6. company strictly controls the network information password, management authority, and scope of knowledge, properly manages passwords, and further improves the password management system in accordance with the principles of meeting needs, convenient use, and strengthening management, and establishes and improves a scientific password management system that adapts to the development of informatization.

7. all Internet users can be recorded in the log through the firewall, and the log is kept for 3 months. Shut down some reactionary, unhealthy websites. In the mail system, we installed a third-party plug-in, can play a role in filtering keywords. The information center regularly backs up the important information of the server to improve the emergency response capability of information storage security. And regularly check the operation of the equipment, do a good job of equipment maintenance records, to ensure the efficient and stable operation of the equipment.

1. The network administrator should arrive at the first scene of the current computer or network failure at the first time of receiving a sudden computer network failure report to observe and inquire about the phenomenon and situation of the network failure.

2. Analyze the failure of equipment or system; Determine whether the failure belongs to physical damage, security incidents caused by human error, malicious code hazards such as computer viruses, systematic paralysis caused by detection software or man-made malicious attacks, etc.

3. In case of computer hardware (system) failure, communication line interruption, routing failure, traffic abnormality, etc., the network administrator shall immediately report to the leader of the emergency leading group after preliminary judgment, and the leader of the emergency leading group shall notify all departments to do a good job in maintaining the on-site order of the detected vehicles;

(1), belongs to the computer hardware (system) failure; Immediately organize the technicians of the computer company to carry out emergency repair. If it is a computer system problem, the backup system shall be used for system restoration at the first time. If the restoration operation is invalid, if there is no large-area computer shutdown, hidden dangers shall be eliminated. In addition to the inspection line to be processed, the station machine and computer of the inspection line that can work normally shall be restored step by step by step immediately to resume as soon as soon as possible;

(2), belongs to the computer network connection problem, can be solved by pulling the temporary line, should immediately pull the temporary cable, and then gradually find the connection fault; Due to the failure of the connecting switch, the standby exchange station shall be replaced immediately. All departments in the station have the obligation to cooperate with the network administrator to do a good job of troubleshooting;

(3) It is caused by server paralysis; The server operating system should be restored immediately, and the databases of the server that are nearly backed up should be restored. If the restoration operation is invalid, the technical personnel of the computer company shall be arranged for emergency repair at the first time, and the relevant manufacturers and superior units shall be contacted immediately to request technical support, make technical treatment and notify the server service provider.

(4) For network congestion caused by network attacks or viruses, Trojan horses, etc., the network cable should be immediately removed, the faulty computer (server) should be disconnected from the network, the computer should be turned off and restarted, and new antivirus software should be downloaded and installed to kill the faulty computers one by one. Power off the connection exchange;

(5) When it is found that the network or server is illegally invaded, the data on the application server is illegally copied, modified or deleted, or a hacker is found to be attacking through the intrusion detection system, the staff of each department shall disconnect the network, and the network administrator shall report to the leader of the emergency leading group. The network administrator should verify the situation when receiving the report, shut down the server or system, modify the filtering rules of firewalls and routers, block or delete the logged-in accounts that have been breached, and block the access of suspicious users to the network.

(6), lightning accident; In case of thunderstorm weather, each department shall ask the network administrator to turn off the server, cut off the power supply, suspend all computer network work in the station, and tentatively check the vehicle. If it has been affected by lightning, all computers in the station should be disconnected from the network, and the damage of computers, switches, routers, firewalls, etc. should be checked one by one. If there is any damage, contact the technicians of the computer company for emergency repair, and resume testing after the thunderstorm is eliminated.

4. When dealing with network accidents, the network administrator shall immediately contact the technical personnel of the computer company to find out the fault location of the communication network in time, isolate the fault area, and report the situation to the leader of the emergency leading group for computer network accidents in time. At the same time, timely organize relevant technicians to detect the fault area, gradually restore the network connection between the fault area and the server, restore the communication network, and ensure normal operation.

If the vehicle inspection cannot be resumed for a short time, the fault notice shall be made in the inspection hall and the vehicle waiting area, and the explanation and guidance of the vehicle owner shall be carried out; if the fault is to be eliminated for a long time, the announcement shall be made through the network media and other channels, and the formal resumption of the inspection time shall be issued.

5. After the emergency treatment, if the accident is serious, the fault analysis report shall be reported to the safety production leading group of the station within one day after the investigation and troubleshooting.

6, data protection; important information systems have established a backup system to ensure that important data can be restored after being destroyed.

7. The computer users of each post shall enhance their emergency response capabilities. Strengthen the technical preparation for sudden computer network accidents and improve the awareness and skills of network management personnel. The network administrator conducts a station-wide computer network security inspection on the computer network in the station once a month to eliminate network security risks and improve the security capabilities of the computer network in the station.