信息安全

AAA公司信息安全InformationSecurityforMetalFactory信息安全管理内容Contentforinformationsecuritymanagement1.门禁、员工卡、安检门AccessControl,WorkerID,SecurityGate2.物理安全PhysicalSecurity3.安全组织SecurityOrganization4.NDA和机密协议NDAandConfidentialityAgreement5.风险管理RiskManagement6.业务持续性BusinessContinuity7.安全意识SecurityAwareness门禁、员工卡、安检门作用GateGuard,WorkerID,SecurityGate确保信息保密性，真实性和易获得性makesureinformationconfidential,trueandaccessible确保公司符合法律法规的要求makesurethatcompanyabidesbythelegallawandregulations确保建立和实施公司信息安全管理系统makesuretoestablishandimplementinformationsecuritymanagementsystem确保对公司员工进行信息安全和技能的培训makesuretotrainworkerswithinformationsecurityawarenessandskills确保实施信息安全事故的预防和反应系统makesuretoimplementinformationsecurityincidentpreventionandresponsesystem所有AAA公司员工卡都录入门禁系统程序，读卡报警的员工禁止入内worker'sIDisstoredbytheentranceguardprocedure,outsidersarenotallowedtoentertheworkingareawithoutpermission.安全管理内容Contentforsecuritymanagement1.门禁、员工卡、安检门AccessControl,workerID,SecurityGate2.物理安全PhysicalSecurity3.安全组织SecurityOrganization4.NDA和机密协议NDAandConfidentialityAgreement5.风险管理RiskManagement6.业务持续性BusinessContinuity7.安全意识SecurityAwarenessPhysicalSecurity离开办公区域前，桌面文件要保存好。Officeworkersshouldstorefilesproperlybeforetheyleavetheworkingarea。电脑设置屏保，5分钟不用要自动锁定Computerbesetscreensaversandautomaticallylockedwithoutuseinfiveminutes。为AAA公司建立信息安全事故管理文件EstablishInformationsecurityincidentcontroldocumentforMetalFactoryexclusive安全管理内容Contentforsecuritymanagement1.门禁、员工卡、安检门AccessControl,workerID,SecurityGate2.物理安全PhysicalSecurity3.安全组织SecurityOrganization4.NDA和机密协议NDAandConfidentialityAgreement5.风险管理RiskManagement6.业务持续性BusinessContinuity7.安全意识SecurityAwareness安全组织SecurityOrganizationAAA公司制定信息、物理安全组织架构图，并明确各级组织成员职责。MetalFactoryestablishesinformationandphysicalsecurityframework,anddefinesdutyofmembersofalllevels.经AAA公司领导研究决定提名一位信息安全协调员，负责组织BBB及内部信息安全组织的各项工作。AninformationsecurityrepresentativeisdesignatedbythetopmanagementofMetalFactory,whowillbeinchargeofdealingwithtasksrelatedtoinformationsecurityfromBBBandinternalinformationsecurityorganization.安全管理内容Contentforsecuritymanagement1.门禁、员工卡、安检门AccessControl,workerID,SecurityGate2.物理安全PhysicalSecurity3.安全组织SecurityOrganization4.NDA和机密协议NDAandConfidentialityAgreement5.风险管理RiskManagement6.业务持续性BusinessContinuity7.安全意识SecurityAwarenessNDAandConfidentiality公司和所有管理人员以及各部门清洁工签定保密协议。AllstaffsandcleaningworkersofAAAarerequiredtosignconfidentialityagreement公司和外来施工公司员工签定保密协议。Outsideconstructioncompaniesarerequiredtosignconfidentialagreement针对能够接触到BBB项目的外部机构与其签署NDA.OutsideorganizationsthathaveaccesstoBBBprojectsarerequiredtosignNDAwithAAA合作商及其职员必须遵守BBB和合作商的协议上的承诺，此条款在劳动合同上体现.SuppliersofAAAmustabidebytheagreementsignedbyBBBandsuppliers,whicharewrittenonthecontract.在BBB信息共享之前,合作商与BBB之间必须签署不透露协议。PriortosharingBBBinformation,suppliersmustsigntheconfidentialagreementwithBBB安全管理内容Contentforsecuritymanagement1.门禁、员工卡、安检门GateGuard,workerID,SecurityGate2.物理安全PhysicalSecurity3.安全组织SecurityOrganization4.NDA和机密协议NDAandConfidentialityAgreement5.风险管理RiskManagement6.业务持续性BusinessContinuity7.安全意识SecurityAwarenessWehaveestablishedriskmanagementsystemtoeffectivelyidentify,analyze,controlandmonitorrisksassociatedwithourinformationsecurity.AAA公司已建立风险管理系统，对涉及信息安全的风险进行判断，分析和控制，及时预防和消除风险。Wepromoteriskmanagementthroughoutallaspectsofinformationsecurityactivities,includingactivitieswithregardtophysicalsecurity,serverroom,customerprototypesecurity,generalinformationsecuritiesandITsecuritieswhichcoverstheoperatingsystem,usermanagement,softwaremanagementaswellasbackuppolicyandmeasures,etc.Wegiveprioritytopreventionandfocusonriskidentificationandmitigation,andalsowearecommittedtocompliancewithBBBrequirements,lawsandregulations.AAA公司风险管理覆盖了信息安全活动的方方面面，包括物理安全，服务器室，客户样品管控，一般信息安全管控和IT安全的管理。WehaveriskmanagementrequirementstoourownsupplynetworkrelatedtoBBBbusiness.我们在涉及BBB项目的供应链均采用了风险管理系统，控制风险。IfariskthatcanimpactBBBseemslikelytomaterialize.Businessdept.willinformcustomer.如果有任何危及风险会影响到BBB的产品项目，AAA公司商务部门会第一时间通知客户RiskManagement风险管理InternalauditInformationsecurityorganizationRiskAssessmentRiskidentificationRiskevaluationCriticalrisklistManagementreviewAAAinformationsecuritypolicyRiskManagementSystem风险管理系统RiskreportingandcommunicationDecisionmakingandresourceallocationOperationalcontrol(includingcontingencyplanning,etc.)Monitoring,measurement,correctiveandpreventiveactionsRiskmanagementresponsibilitiesandpractices风险管理责任和实践Wehaveariskmanagementorganizationinmetalfactoryandcompanylevel,risksareidentifiedagainstITstructureexpansion,varietyofnetworkuseandmobilityofpeopleintoandoutofmanufacturingfacilities,etc.Riskevaluationmetricsandriskacceptanceconstraintsarejustified.Statusofrisksandactionsarereviewedonceperhalfayear.AAA公司和公司层面都设有风险管理组织。针对IT产业群结构评估各种风险。例如，各种网络的使用，生产车间人员的进出。Responsibilitiesoneachimportantriskhasbeenagreedon(riskownership,actionowners).Wecommunicateinternallyandexternallytheseimportantrisks,andtheircontrolaction,monitoring,responseplan,etc.每项重大的风险公司和部门均安排专人监控（风险管控人，行动负责人）公司在内部和外部对重大的风险进行充分的沟通，制定管控计划，监控风险，和风险处理计划。ManagingRisks风险管控Wehighlystressinformatio