1.Purpose：

In order to implement information security management, the company has formulated a computerized information system processing cycle and information security management specifications. The information center performs various information security work. The processing policy is as follows.

2. Scope of application：

Applicable to all employees of the company.

3. Responsibilities:

The Information Section is responsible for supervising the management of software and hardware, and computer users in all relevant departments must strictly follow this management method.

4. Hardware security rules:

4.1 Hardware range:Computer and peripheral equipment, network equipment, video equipment, communication equipment. Such as: computers, printers, barcode machines, barcode readers, scanners, digital cameras, HUBs, optical fibers, projectors, cameras, etc.
4.2 Hardware acquisition process:

Execute according to "IC-05-CF01 Fixed Assets Purchase Operation", "IC-05-CF02 Fixed Assets Purchase Operation" and "IC-05-CF02 Fixed Assets Acceptance Operation"

Note: The user is the custodian of the computer after signing for the hardware equipment, and will be responsible for the safekeeping of the hardware equipment in the future.

4.3 Change of computer custodian Execute according to "IC-05-CF08 Fixed Assets Disposal and Change Operation".       

4.4 Precautions for use

4.4.1 Users are not allowed to open the main case of the computer without the consent of the Information Section, and install any accessories (including private accessories) such as sound cards, CD players, etc. Violators will be punished according to their circumstances.

4.4.2 If the user has any abnormality or abnormality in the hardware equipment, he must immediately notify the information department to deal with it, and must not dismantle and repair it by himself. Violators will be punished according to the circumstances.
4.4.3 The hardware is the company's assets. If the hardware equipment is lost or damaged, the custodian shall be responsible for the relevant compensation. Anyone who intentionally damages or steals the equipment will be expelled and punished in addition to compensation.
4.4.4 If the computer custodian allows others to use its hardware equipment without authorization, causing violations, the user and the custodian shall be punished together. If the hardware equipment in custody is misappropriated by others, resulting in violations, the custodian is obliged to take the relevant responsibilities.
4.4.5 Without the consent of the custodian, the computer equipment of others shall not be used without authorization. Violators shall be punished according to the circumstances.
4.4.6 Without the consent of the Information Division, users and custodians are not allowed to change the relevant settings of the hardware equipment. Violators will be penalized for demerit, and those who cause inconvenience to others will be punished more severely.
4.4.7 Computer users are not allowed to use the computer to print non-related business information such as novel articles, landscape pictures, etc. Violators will be punished according to their circumstances.
4.4.8 The computer equipment is used for the company's office, and it is not allowed to be used for public or private purposes, or to do things unrelated to work (such as playing games, chatting online) and non-company work. Violators recorded the above penalties.
4.5 Maintenance of hardware

4.5.1 The user needs the information personnel to carry out the maintenance of the information equipment, inform the information personnel by telephone, and explain in detail the contact person and method, the type of equipment, and the description of the fault.
4.5.2 When the information department personnel receive the user's call for repair, they must confirm and deal with the user's repair problem as soon as possible. If the hardware needs to be replaced, the information department will inform the user of the specific fault, and the user will issue a request according to the purchase process. Purchase order, the information department should arrange replacement in time after receiving the accessories.

5. Security rules for core information equipment

5.1 Separate independent logical domains (such as internal or external networks and firewalls, etc.) according to the needs of network services, separate development, testing and formal operating environments, and establish appropriate information security protection controls for different operating environments measure.

5.1.1 Regularly conduct security scans on important equipment.

5.1.2 Penetration testing of important equipment is carried out on a regular basis.
5.1.3 Perform source code scanning security testing before the system goes online.
5.2 Have the following information security protection control measures:

5.2.1 Antivirus software.

5.2.2 Network firewall.

5.2.3 If there is an email server, it has an email filtering mechanism.

5.2.4 Intrusion detection and defense mechanism.

5.2.5 If there is a core information communication system for external services, it shall have an application firewall.

5.2.6 Advanced persistent threat attack defense measures.

5.2.7 Information Communication Security Threat Detection Management Mechanism (SOC).

6. Information software and information security rules

6.1 Incorporate information security requirements into the requirements specifications for the development and maintenance of the information communication system, including smart data access control, user login authentication, and user input and output inspection and filtering.

6.2 Regularly carry out the security requirements test of the information communication system, including smart data access control, user login authentication and user input and output inspection and filtering test

6.3 Properly store and manage information system development and maintenance related files.

6.4 Establish appropriate protective measures for the processing and storage of sensitive data, such as: physical isolation, dedicated computer operating environment, access rights, data encryption, transmission encryption, data shielding, personnel management and processing specifications, etc.

6.5 Develop management procedures for on-the-job, on-the-job and resignation, and sign a confidentiality agreement to clearly inform confidentiality matters.

6.6 Establish operational regulations for user pass code management, such as: default password, password length, password complexity, password history, password shortest and longest validity period, and a login failure locking mechanism, and evaluate the adoption of multi-authentication technology in the core information communication system .

6.7 Regularly review privileged accounts, user accounts and permissions, and disable accounts that have not been used for a long time.

6.8 Establish appropriate monitoring measures for the information communication system and related equipment, such as: authentication failures, failures to access resources, important behaviors, important data changes, functional errors and administrator behaviors, etc., and establish appropriate protection mechanisms for logs.

6.9 Establish appropriate management measures for projects such as security control, personnel entry and exit control, and environmental maintenance (such as temperature and humidity control) in computer rooms and important areas.

6.10 Pay attention to security vulnerability notices, patch high-risk vulnerabilities in real time, and regularly evaluate and handle security vulnerability repairs for equipment, system components, database systems, and software.

6.12 Develop security control procedures for information equipment recycling and elimination to ensure that sensitive data is indeed deleted.

6.13 Develop operating instructions for information hardware and software, such as: software installation, e-mail, communication software, ERP and operation specifications for the sign-off system.