Information security object and scope
Target: Including employees, customers, suppliers and shareholders, as well as operating-related information software and hardware equipment.
Scope: In order to ensure the company’s information security, formulate relevant rules and regulations, apply technology and data security standards, and incorporate them into the management and operation system to ensure privacy protection and information security maintenance when employees, suppliers and customers conduct business contacts.
Information Security Risk Management Framework
The responsible unit for information security of the company is the Information Division, which has one information supervisor and several professional information personnel responsible for formulating internal information security policies, planning and implementing information security operations, and promoting and implementing information security policies.
Information Security Policy
The company attaches great importance to the security and privacy of stakeholders, including employees, customers, shareholders and operation-related information assets. In order to ensure the confidentiality, integrity, availability and legality of information assets, and to avoid internal and external intentional or accidental threats , Weigh the company’s business needs, establish information security-related management procedures, “personal data protection management procedures”, prevent possible risks, and implement specific and effective security protection and personal information privacy protection measures.
Specific management plan
Information personnel have many years of experience in information security, act as a third party from time to time, and perform drills by simulating hacking methods.
(1)System specification: The company has established information security operating procedures internally to regulate the information security behavior of the company’s personnel, regularly check whether the relevant system is in line with the changes in the operating environment, and adjust it in a timely manner according to needs. Regular internal audits are carried out to strengthen the operation management of the company’s information security.
(2)Application of technology: In order to prevent various external information security threats, the company has established various information security protection systems (such as anti-virus software) to improve the security of the overall information environment.
(3)Personnel training: The company implements information security education and training practice courses and information security opportunities promotion for employees from time to time, so as to enhance the information security knowledge and professional skills of the company’s colleagues.
(4)Specific implementation of information security management measures:
․ Personnel account authority management and audit
․ Regular inventory of personnel account permissions
1.Personnel access to internal and external systems
2.Data transmission pipeline security measures
․ Internal/External Access Control
․ Data Breach Control
․ Operational behavior track record
1.Potential weaknesses in internal systems
2.Anti-virus and anti-hack protection measures
․ Host computer vulnerability detection and update measures
․ Antivirus and anti-hacking, spam and malware detection
|System available||System availability status and handling measures when service is interrupted|
․ System/Network Availability Monitoring and Notification Mechanism
․ Response to Service Interruption
․ Data Backup and System Backup Mechanism
․ Regular disaster recovery drills
Invest resources in the safety management of ZITONG
(1) By building an information security monitoring system and performing system vulnerability scans, hackers can prevent hackers from invading and stealing confidential company information. : desktop computers, notebook computers, etc.) management to implement the protection of personal data of employees, company confidential data, customers and suppliers.
(2)Conduct information security education and training on a quarterly basis every year. The courses cover 1 hour of “Basic Education on Prevention of Phishing and Denial-of-Access Attacks” and 1 hour of “Information Security Management and Application” ”, in 2011, a total of four information security education and training sessions were carried out, and employees actively participated. The average number of education and training hours per person was 8 hours. In the future, education and training will continue to be held every quarter every year, and announcements and publicity of various information security awareness will be made irregularly. Through continuous training and publicity, we can enhance employees’ awareness of information security.
Losses, possible impacts and countermeasures due to major information security incidents in the most recent year and as of the publication date of the annual report: None