Information Security Risk Management Framework

The CIO is the person in charge of assembling and leading the information security team. The team is responsible for coordinating, planning, executing, and analyzing information security events. The team consists of a strategy group, a technology group, and an audit group.

  1. The strategy group is responsible for implementation of the information security policy and related equipment
  2. The technology group is responsible for actual certification testing, implementation, and subsequent support for implementation of the information security policy and related equipment.
  3. The audit group is responsible for performing monthly and quarterly audits of the information security policy and its establishment and presenting audit reports.

Information Security Policy

The information security team performs regular planning and review of information security protection measures according to the PDCA cycle.

  1. Implementing anti-virus endpoint protection software on personal computers and servers.
  2. Internet firewall shall be equipped with application identification capability to enhance the defense capability against external attacks.
  3. Intranet firewall should list explicitly allowed services.
  4. The identification module automatically separates employees from visitors and segregates access paths.
  5. An advanced threat protection module is added against junk mail, and prevents phishing emails from stealing sensitive data.
  6. The active alert system automatically notifies threats occurred and configuration changed.
  7. Regular report audits.

Information Security Management Plan

Information security is the Companys last line of defense against significant impact. Therefore, in addition to continuously strengthening the investment in information security equipment, the Company also continues to increase investment in information security equipment and software and strengthen data redundancy. Such measures include:

  1. Local data snapshot, provide the fastest way to restore data when hardware is not damaged.
  2. Offsite replication, replicate data to backup data center over 30km in real-time and create remote data snapshot for double protection.
  3. Offsite tape, daily full backup and store the tape offsite.
  4. Regularly perform switch main data center to the remote backup center so as to ensure disaster recovery in the shortest time possible.