供应商信息安全风险评估检查表

序号#S/N信息安全要求InformationSecurityRequirements自评得分Self-assessmen负责部门ResponsibleDepartment实施描述ImplementationDescription1.1供应商须建立信息安全管理组织并定义其职责，组织各级员工可获取。Thesuppliersmustestablishaninformationsecuritymanagementorganizationanddefinetheirresponsibilities,andmakethemavailabletotoallemployees.11.2供应商应制定信息安全的相关策略（应充分考虑客户的信息安全要求），组织各级员工了解并可获取。Thesuppliersshouldestablishtheinformationsecurtypolicies(Customer'sinformationsecurityrequirementsshouldbefullyconsidered)andmakethemavailabletoallemployees.21.3供应商须将****的《供应商来访我司安全保密须知》（最新版文件名为《****供应商安全保密须知》的要求传达至内部相关人员，特别是参与****项目和在****现场调试的人员。ThesuppliersmustpassontherequirementsofInformationSecurityInstructionofSupplierVisitwiththe****(Thelatestfileiscalled****SupplierSecurityandConfidentialInstructions)torelevantemployees,especiallythosewereinvolvedin****projectsandprovideddebugserviceat****on-site.21.4供应商若提供设备电脑给****，设备进入****前须按照****《设备电脑信息安全管理工作指示》进行自查，并将要求传达给相关人员（特别是在****的现场工程师）。Ifthesuppliersprovidestheequipmentcomputerto****,theequipmentmustbeself-inspectedaccordingtothe****EquipmentComputerInformationSecurityManagementWorkInstructionbeforeenteringthe****,andtherequirementsareavailabletotherelevantpersonnel(Especiallytheon-siteengineerat****).21.5供应商若参与****现场的设备调试，须使用****租赁笔记本电脑进行调试，并将要求传达给相关人员。Ifthesuppliersdebugtheequipmentat****,theymustusethe'****rentallaptop'todebug,andthisrequirementismadeavailabletotherelevantpersonnel.2供应商信息安全风险评估检查表InformationSecurityRiskAssessmentChecklistforSupplier1、信息安全组织及策略1.Informationsecurityorganizationandpolicy1.6供应商须实施项目信息安全管理，尤其是****项目，包含密级划分、人员管理、文档管理、风险评估等。Thesuppliersmustimplementprojectinformationsecuritymanagement,especiallyfor****projects,includingconfidentialityclassification,personnelmanagement,documentsmanagementandriskassessment.21.7供应商应定期审查信息安全策略并对相关控制措施的执行情况进行检查。Thesuppliersshouldperiodicallyreviewtheinformationsecuritypoliciesandchecktheimplementationofrelevantcontrolmeasures.2总得分Subtotal13得分率Percentage%92.86%序号#S/N信息安全要求InformationSecurityRequirements自评得分Self-assessmen负责部门ResponsibleDepartment实施描述ImplementationDescription2.1供应商招聘人员时应进行背景调查，特别是关键岗位人员。Backgroundchecksonallcandidatesforemploymentshouldbecarriedout,especiallyfor22.2供应商须与所有员工签署NDA，特别是参与****项目及能接触****信息和系统的员工。Thesuppliersmustsigntheinformationsecurityagreementwithallemployees(notjustNDA).Theagreementmustincludetheemployee'sinformationsecurityobligations,thepenaltiesandcriminalliabilityforinformationsecurityviolations.22.3供应商须制定信息安全违规处罚条例及处理流程。Thesuppliersmustestablishinformationsecuritydisciplinaryregulationsandhandlingprocedures.22.4供应商须对新入职及在职员工进行信息安全培训和考核，包括但不限于信息安全制度、规范等，并进行有效性评价。Thesuppliersmustconductinformationsecuritytrainingandassessmentfornewandcurrentemployees,includingbutnotlimitedtoinformationsecuritypolicies,regulationsandothers,andtheefeectivenessevaluationis22.5供应商须建立人员离职处理流程，至少要关闭信息系统帐号和权限，回收存储介质（包含电脑）。Thesuppliersmustestablishaprocessforemployeetermination,atleasttodisabletheinformationsystemaccountsandpermissions,and1总得分Subtotal9得分率Percentage%90.00%2、人员管理3、数据和介质管理3.Dataandmediamanagement序号#S/N信息安全要求InformationSecurityRequirements自评得分Self-assessmen负责部门ResponsibleDepartment实施描述ImplementationDescription3.1供应商须对****数据进行分级和分类，包含图纸、技术规格书及合同内容的数据应定义为涉密信息（后面统称****涉密信息）。Thesuppliersmustcategorizeandclassify****data.Thedataincludingdrawings,technicalspecificationsandcontractshouldbedefinedasconfidentialinformation(Hereinafterreferredtoas'****confidentialinformation').13.2供应商须对****涉密信息进行全生命周期管理，包括但不限于接收、存储、使用（传输、外发、打印）、销毁。Thesuppliersmustperformlife-cyclemanagementof****confidentialinformation,includingbutnotlimitedtoreceiving,storing,using(transport,outgoing,print),anddestroying.13.3供应商须建立移动存储介质的管理规定，含有****涉密信息的介质未经授权禁止带离公司。Thesuppliersmustestablishmanagementregulationsformobilestoragemedia.Itisforbiddenthatthemediaincluding****confidentialinformationistakenawayfromthecompanywithoutauthorization.13.4供应商应对****的涉密信息采取防护措施，确保其未被非授权访问或获取，如数据加密、数据防泄漏等。Thesuppliersshouldtakeactionsfor****confidentialinformationtopreventunauthorizedaccess,suchasimplementdataencryptionordataleakageprevention.1总得分Subtotal4得分率Percentage%50.00%序号#S/N信息安全要求InformationSecurityRequirements自评得分Self-assessmen负责部门ResponsibleDepartment实施描述ImplementationDescription4.1必须识别****项目涉及的全部区域，包括但不限于敏感原材料和设备区、存放区和仓库区、通道和运输路线、研发区、生产区、测试区、办公室以及装货/发货区。Allareascoveredbythe****projectmustbeidentified,includingbutnotlimitedtosensitiverawmaterialsandequipmentareas,storageareasandwarehouseareas,accessandtransportationroutes,R&Dareas,productionareas,testareas,offices,andloading/shippingareas.24、物理与环境安全4.Physicalandenvironmentsecurity4.2针对****项目涉及的区域制定区域分级保护要求，并在现场明确标识其安全等级，其中敏感原材料和设备区、研发区须定义为最高级别的安全区域。Thegradingprotectionrequirementsareestablishedfortheareasinvolvedinthe****project,andthesecuritylevelisclearlyidentifiedwithalabel.ThesensitiverawmaterialsandequipmentareasandR&Dareasmustbedefinedasthehighestlevelofsecurityzone.24.3****安全区域出入口处须设置门禁刷卡机，授权人员通过门禁卡进出安全区域，门禁进出记录至少保存1年。Theentrancecontrolmustbeimplementedattheentranceandexitofthe****securityzone.Authorizedpersonnelmustenterandexitthesecurityz