Post on 18-Dec-2021
<Confidential> eBaoTech Corporation
<Confidential>
eBao ISO/IEC 27001: 2013
Information Security Policy eBaoTech-ISMS01-002
eBaoTech Corporation
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation ii
Copyright and Confidentiality Notice
© Copyright eBaoTech Corporation
All rights reserved. Reproduction in whole or in parts is prohibited without the
prior written consent of the copyright owner.
The information contained in this document is strictly confidential and must not
be disclosed to any other person by the client or by any of its employees without
the prior written consent of copyright owner.
Client is permitted to disclose the information only to those of its employees
and/or professional advisors who need to have access to it and client will notify
such employees and/or professional advisors of the terms of this notice.
For any questions or remarks on this document, please contact eBaoTech
Corporation +86 (21) -61407777.
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 1
Contents 1. Purpose ....................................................................................................................................................... 1
2. Scope ............................................................................................................................................................ 1
3. Responsibilities ........................................................................................................................................ 1
3.1. Management Representative ................................................................................................................... 1 3.2. Information Security Management Committee ............................................................................... 1 3.3. Functional Department ............................................................................................................................... 1 3.4. Staff ...................................................................................................................................................................... 1
4. Information Security Policy ................................................................................................................. 1
5. Basic Policy on Information Security ............................................................................................... 2
5.1. Organizational Security of Information Security ............................................................................ 2 5.1.1 Construction of Information Security Management Structure ................................ 2 5.1.2 Strict Management of External Organizations Accessing Information Assets . 2
5.2. Human Resources Security ....................................................................................................................... 3 5.2.1 Personnel Security ...................................................................................................................... 3 5.2.2 Security Awareness .................................................................................................................... 3
5.3. Assets Security ................................................................................................................................................ 3 5.3.1 Assets Security .............................................................................................................................. 3 5.3.2 Classification Protection ........................................................................................................... 3 5.3.3 To Specify the Disposal and Control of Media ................................................................ 4
5.4. Access Control Policy ................................................................................................................................... 4 5.4.1 Access Control Policy ................................................................................................................. 4 5.4.2 User Access Management ......................................................................................................... 4
5.5. Cryptography .................................................................................................................................................. 4 5.5.1 Policy on the Use of Cryptographic Controls ................................................................... 4 5.5.2 Cryptographic Management ................................................................................................... 5
5.6. Physical and Environmental Security .................................................................................................. 5 5.6.1 Secure Areas................................................................................................................................... 5 5.6.2 Equipment and Facilities Security ....................................................................................... 5
5.7. Operational security ..................................................................................................................................... 5 5.7.1 Operating Procedures and Responsibilities .................................................................... 5 5.7.2 Planning and Management of Capacity .............................................................................. 6 5.7.3 Separation of Development, Testing and Operational Environments ................. 6 5.7.4 Protection from Malware ......................................................................................................... 6 5.7.5 Backup .............................................................................................................................................. 6 5.7.6 Audit Logging and Logging Protection ............................................................................... 6 5.7.7 Control of Operational Software ........................................................................................... 7 5.7.8 Clock Synchronisation ............................................................................................................... 7 5.7.9 Technical Vulnerability Control ............................................................................................ 7 5.7.10 Information Systems Audit Controls ................................................................................... 7
5.8. Communications Security .......................................................................................................................... 8 5.8.1 Network Security Management ............................................................................................. 8 5.8.2 Information Processing Procedures .................................................................................... 8
5.9. Information System Acquisition, Development and Maintenance .......................................... 8 5.9.1 Strengthening Security Requirements and Analysis of Information System
Development .................................................................................................................................. 8 5.9.2 Ensuring the Security of Internal Data ............................................................................... 8 5.9.3 Ensuing the Integrity of Information .................................................................................. 9 5.9.4 Policy on the Cryptographic Setting .................................................................................... 9 5.9.5 Control of the Source Code of the System ......................................................................... 9 5.9.6 Technical Audit after the Change of Operational System .......................................... 9 5.9.7 Prevention of Information Disclosure ............................................................................. 10 5.9.8 System Security Testing ......................................................................................................... 10 5.9.9 System Acceptance Testing .................................................................................................. 10
5.10. Supplier Relationship ............................................................................................................................... 10 5.10.1 Information Security Policy for Supplier Relationships .......................................... 10
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 2
5.10.2 Ensuring the Quality of Third-party Service ................................................................. 10 5.10.3 Audit on the Third-party Service Delivery .................................................................... 11
5.11. Information Security Incident .............................................................................................................. 11 5.11.1 Policy on Information Security Incident ........................................................................ 11
5.12. Business Continuity ................................................................................................................................... 11 5.12.1 Policy on Business Continuity Management ................................................................. 11
5.13. Compliance with Legal and Legislative Requirements .............................................................. 11 5.13.1 Conforming to Legal and Legislative Requirements ................................................. 11 5.13.2 Information Security Independent Audit ....................................................................... 12
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 1
1. Purpose
This policy is established to ensure the confidentiality, integrity and availability of the
information assets of eBao Tech Corporation (hereinafter referred to as "Company"),
the safe and stable operation of the Company's information system and the smooth
development of business.
2. Scope
For the staff, business partners and their expatriates, as well as other organizations and
personnel who use the Company's information assets to carry out their work, this policy
applies.
3. Responsibilities
3.1. Management Representative
Responsible for the approval of information security policy as well as providing
resources needed for the promotion and implementation of information security
management system files.
3.2. Information Security Management Committee
Responsible for the preparation and revision of the information security policy,
including interpreting and absorbing external documents system and updating the
policy; organizing information security officers and all department staff to carry out the
forming and drafting of information security policy and updating of the relevant
management system and operational procedures documents; monitoring the
implementation of all information security management system in all departments.
3.3. Functional Department
Implementing information security policy and relevant management systems;
formulating the implementing regulations of this department and putting them into
effect.
3.4. Staff
Understanding and being in comply with information security policy and relevant
management systems as well as accepting relevant training and education.
4. Information Security Policy
The Company's information security policy is as follows, and this information security
policy must be reviewed annually in the management and review meeting.
Information security policy is: prevention first, classification protection, decentralized
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 2
responsibility, continual improvement.
a) Prevention first: the implementation of information security is based on the
guiding principle prevention first; taking all active prevention measures;
establishing prevention and control system of information security and
operational risks; strengthening the security awareness of staff; improving the
emergency mechanism; strengthening the internal security check. Make sure that
all troubles are prevented before they occur.
b) Classification protection: information assets shall be classified in terms of their
importance, and corresponding measures shall be taken according to the
classification so as to ensure all kinds of information assets receive an appropriate
level of protection.
c) Decentralized responsibility: establishing decentralized information security
organization and making sure responsibilities are taken by decentralization and
put into practice.
d) Continual improvement: Implementing continuous improvement of information
security management according to the PDCA model to ensure that the Company's
information assets in the process of dynamic change are always under
comprehensive protection.
5. Basic Policy on Information Security
5.1. Organizational Security of Information Security
5.1.1 Construction of Information Security Management Structure
a) Purpose: To implement information security management effectively inside the
Company.
b) Policy: To start and control the implementation of information security work,
approve the information security policy and strategies, determine the information
security management and division of responsibilities, coordinate the effective
operation of the entire information security management system through the
establishment of information security management committee.
The Company also needs to build contact with external organizations such as
customers, security service providers, supervisors and external security
consultants to track industry trends and learn advanced information security
technologies and management means.
5.1.2 Strict Management of External Organizations Accessing Information Assets
a) Purpose: To ensure the information assets accessed by outside organizations are
under protection.
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 3
b) Policy: The business transactions and information communication between the
Company and outside world is inevitable, and the Company often needs to open
its information assets and information processing facilities to the outside
organizations. As a result, there is a need to assess the security risks associated
with access to internal information assets by external organizations.
And, if necessary, sign a confidentiality agreement with an external organization to
declare the Company's information security policy and strategy to determine the
required safety control measures.
5.2. Human Resources Security
5.2.1 Personnel Security
a) Purpose: To reduce the risk of human errors, theft, fraud or abuse of facilities and
authority.
b) Policy: To formulate and implement the control of employees prior to, during and
after the employment so as to ensure that their behaviors conform to the security
management requirements; to formulate and implement the regulations on
external personnel prior to, during and after cooperation so as to ensure that the
external personnel perform their due duties on information security.
5.2.2 Security Awareness
a) Purpose: To ensure that employees of the Company and third-parties can
recognize the importance of information security and implement the information
security policy at work to reduce the rate of information security incidents.
b) Policy: To carry out adequate training on the employees of the Company and third-
parties and specify their responsibilities of information security so that they can
master the information security skills; to specify the information security
requirements that third-parties should conform to and information security
responsibilities and duties that third-parties should fulfill.
5.3. Assets Security
5.3.1 Assets Security
a) Purpose: To identify important and valuable information assets of the Company,
implement the management of these information assets, and ensure the effective
use of these information assets.
b) Policy: To identify and manage information assets; to formulate and implement
correct operating procedures of using information assets according to the
characteristics of different types of information assets.
5.3.2 Classification Protection
a) Purpose: To implement classification protection on information assets in
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 4
accordance with their importance.
b) Policy: To implement different security standards and policies based on the value
and level of information assets; to implement corresponding level of protection in
accordance with the needs of different information assets.
5.3.3 To Specify the Disposal and Control of Media
a) Purpose: The Company shall effectively manage the use, movement, storage and
disposal of storage media, so as to prevent the disclosure, tampering or media
damage as well as adverse effect on business transactions due to poor
management of storage media.
b) Policy: The Company shall consider the length of the backup information that
needs to be saved when selecting media. The storage media includes hard disks,
tapes, USB drives, removable hardware drives, CDs, DVDs, and print media.
Managerial personnel of storage media shall check and mark all storage media and
shall establish operational strategies and relevant procedures of the use, storage,
deletion and destruction of the storage media in order to prevent the data and
system files in the storage media from unauthorized disclosure, tampering and
destruction.
5.4. Access Control Policy
5.4.1 Access Control Policy
a) Purpose: To control the access to information assets and ensure the effective
implementation of isolate operation, unique user, minimum access, separate
responsibilities and the principle of rejection by default.
b) Policy: To strengthen the access control management of the Company's assets,
standardize user management, password management, system configuration, and
put forward the basic requirements of access control management.
5.4.2 User Access Management
a) Purpose: To ensure that legitimate users get the appropriate access rights and
prevent unauthorized access.
b) Policy: To ensure that relevant personnel can obtain appropriate access to their
duties, form a list of user access and implement regular review of it, adjust and
cancel the employee's user access right when he/she leaves post or office.
5.5. Cryptography
5.5.1 Policy on the Use of Cryptographic Controls
a) Purpose: The Company shall develop and implement cryptographic control
measures in the information system to protect information.
b) Policy: When formulating the cryptographic policy, the Company should consider
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 5
the following: the management of using cryptographic control among
organizations, including the general principle of protecting business information,
identification of the protection level based on risk assessment and considering the
type, intensity and quality of encryption algorithm; using password to protect
sensitive information via mobile phones, removable media, devices, or through
communication lines.
5.5.2 Cryptographic Management
a) Purpose: To ensure the appropriate use and management of cryptographic
security.
b) Policy: The Company shall formulate regulations on cryptographic management so
as to ensure the whole process from the application, use, custody to destruction of
key is under secure control.
5.6. Physical and Environmental Security
5.6.1 Secure Areas
a) Purpose: To prevent access to, destruction of and interference on secure areas
from unauthorized activities.
b) Policy: To specify the boundaries of secure areas and take appropriate control
measures, such as physical isolation, access control systems, video surveillance,
etc.
5.6.2 Equipment and Facilities Security
a) Purpose: To prevent loss, damage or information disclosure of information
processing facilities.
b) Policy: Accurately identify and manage all kinds of equipment and facilities, and
place them in the appropriate area.
5.7. Operational security
5.7.1 Operating Procedures and Responsibilities
a) Purpose: The Company shall establish operating regulations and mechanism of
documented information system so as to ensure that the employees can operate
information processing facilities correctly and safely. The Company shall divide
the responsibilities of different categories of employees to reduce the rate of
unauthorized access, unconscious modification and improper use of organizational
assets.
b) Policy: The system activities of the Company's information processing and
communication facilities, such as backup, equipment maintenance, media
handling, room management, mail management and physical security
management, shall be under documented specification.
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 6
Necessary management, operating responsibilities and procedures shall be
established for all information processing facilities. Companies shall control the
changes of information processing facilities and systems; implement a clear
allocation of responsibilities to reduce risks due to negligence or misuse of the
system; individuals unauthorized or unmonitored shall not be able to access,
modify or use system. The company shall implement effective separate
responsibilities in accordance with the basic requirements of secure operations.
5.7.2 Planning and Management of Capacity
a) Purpose: The Company shall strengthen monitoring, adjustment and predict on
the requirements of future capacity to ensure that the required system
performance is available.
b) Policy: The Company ensures that each information system is able to identify
capacity requirements so as to guarantee timely assessment and improvement of
the availability and efficiency when necessary. The Company should take into
account the development of new services, the system's own development
requirements and the Company's current information processing capabilities and
future development trends when making assumptions about the future capacity of
the system.
5.7.3 Separation of Development, Testing and Operational Environments
a) Purpose: The Company shall implement a separation policy for the development,
testing and operation of the facility to reduce the risk of unauthorized access or
alteration of the operating system.
b) Policy: The Company shall identify the separation level among the operation,
testing and developing environment of the information system to prevent
overstepping or unauthorized operations.
5.7.4 Protection from Malware
a) Purpose: To reduce the adverse effect of the malware on the Company.
b) Policy: To establish effective computer virus prevention, detection and killing
mechanism, implement the detection and protection control to prevent malware,
and improve employees’ sense of prevention.
5.7.5 Backup
a) Purpose: To ensure the integrity and availability of backup data.
b) Policy: To back up the data and implement effective test on the backup data in
accordance with backup policy.
5.7.6 Audit Logging and Logging Protection
a) Purpose: The Company shall produce logs of recording user activities, exceptions,
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 7
and information security events and keep them for a cycle to support future
survey and access control monitoring. Logging facilities and log information shall
be protected against tempering and authorized access.
b) Policy: The Company shall establish logging management regulations to prevent
logging storage facilities from unauthorized tempering and operational problems.
Important audit loggings need to be archived. The audit loggings include details
such as user ID, date, time and key events, as well as system configuration, special
access rights, the use of system utilities and applications.
5.7.7 Control of Operational Software
a) Purpose: The software installation on all operating systems shall be carried out
according to the management procedures established by the Company; the
installation process shall be recorded and archived.
b) Policy: The Company shall develop management procedures on software
installations and designate special personnel to install software on operating
systems according the procedure. Installers shall have the skills that meet the
requirements of daily software installation.
5.7.8 Clock Synchronization
a) Purpose: The clocks of all the facilities shall be synchronized to the accurate
reference time source.
b) Policy: The Company shall synchronize the clocks to ensure the accuracy of the
system loggings.
5.7.9 Technical Vulnerability Control
a) Purpose: The Company shall reduce risks brought by the exploitation of technical
vulnerabilities.
b) Policy: The Company shall obtain the technical vulnerability information of all
kinds of technical systems used by the organization such as operating system,
application system, software tools to assess the protection of this kind of technical
vulnerability and take appropriate control measures.
5.7.10 Information Systems Audit Controls
a) Purpose: The Company shall minimize the risk brought by information systems
audit.
b) Policy: The Company shall make detailed planning and assess the risks associated
with information systems audit when doing the audits. The policy on information
systems audit shall be implemented within the approval of senior leaders. And the
implementation should be strictly in accordance with the planning procedures.
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 8
5.8. Communications Security
5.8.1 Network Security Management
a) Purpose: The Company shall maintain the availability of network services to
guarantee the confidentiality and integrity of the information transmitted over the
network.
b) Policy: To implement network security management; divide the network secure
areas; monitor and manage the network equipment and activities; develop
network security policies and operating procedures; protect the network
information and supporting facilities.
5.8.2 Information Processing Procedures
a) Purpose: The Company shall establish information processing and storage
procedures to prevent unauthorized disclosure or improper use of information.
b) Policy: The Company shall establish a management procedure that handles,
processes, stores and classifies information consistent with its communications,
and dispose and mark all the media according to the classification standard. The
Company shall also clearly restrict on unauthorized access and reserve the media
in accordance with the storage standards of manufacturers. Meanwhile, mark
clearly all the copies of data so as to arouse the attention of data owners.
5.9. Information System Acquisition, Development and Maintenance
5.9.1 Strengthening Security Requirements and Analysis of Information System
Development
a) Purpose: The Company shall specify the requirements for safety control measures
in the requirement statement of constructing of a new information system or
strengthening an existing information system.
b) Policy: Prior to the development of information systems, the requirement of basic
automatic control measures and supportive manual control measures included in
the information system should be specified. The security requirements both in the
existing and constructing information system shall be integrated in the early stage
of the information system project. To purchase a mature software product should
follow a formal testing and acquisition process. Specified security requirements
shall be put forward in the contract signed with suppliers.
5.9.2 Ensuring the Security of Internal Data
a) Purpose: Validation checks shall be integrated into the information system to
check the errors in information system processing or error due to intentional
actions.
b) Policy: In the designing and development of the information system, the review
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 9
and check functions of data should be integrated in the whole process of data
processing to ensure that the integrity of the data is not lost or destroyed in the
course of processing data.
5.9.3 Ensuing the Integrity of Information
a) Purpose: Appropriate control measures should be taken in the information system
to ensure the authenticity of data and protect the integrity of information.
b) Policy: In the construction of information system, a security risk assessment is
required to determine whether the information integrity needs to be ensured and
decide the most appropriate implementation method.
5.9.4 Policy on the Cryptographic Setting
a) Purpose: The Company shall develop and implement cryptographic control
measures in the information system to protect information.
b) Policy: When formulating the cryptographic policy, the Company should consider
the following: the management of using cryptographic control among
organizations, including the general principle of protecting business information,
identification of the protection level based on risk assessment and considering the
type, intensity and quality of encryption algorithm; using password to protect
sensitive information via mobile phones, removable media, devices, or through
communication lines.
5.9.5 Control of the Source Code of the System
a) Purpose: The Company shall standardize and limit the access to source code of the
system.
b) Policy: The Company shall strictly control the access to the source code and
related items (such as designing, manual, confirmation plan, and validation plan).
The reserve of system source code shall be achieved through the central storage
control of the code. It would be best that the source code is kept in the source
system library.
5.9.6 Technical Audit after the Change of Operational System
a) Purpose: When the operating system changes, the Company shall review and test
the critical applications of the business to ensure that there is no adverse impact
on the operation and security of the application system.
b) Policy: To review the control and integrate procedure in the application system to
ensure that they won’t be damaged due to the operating system changes; ensure
that notice of operating system changes is provided timely in the review and
system testing brought by the changes in the annual supporting plan and budget,
so that the Company can take appropriate testing and review before
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 10
implementation and take proper changes on the business continuity plan.
5.9.7 Prevention of Information Disclosure
a) Purpose: The Company shall prevent the disclosure of information.
b) Policy: The Company shall limit the risk of information disclosure, regularly assess
the external communications security of hidden information, conceal and adjust
the communication behavior of the system to reduce the possibility that third
parties will infer information from these actions. The Company shall also regularly
monitor the activities of individuals and system as well as the use of resources in
computer systems under the existing laws and regulations.
5.9.8 System Security Testing
a) Purpose: To implement security testing on information system and find potential
loopholes as much as possible and prevent them as early as possible.
b) Policy: To implement security testing on information system regularly and take a
comprehensive testing before the information system gets online.
5.9.9 System Acceptance Testing
a) Purpose: The documents shall be established and formed and the testing shall be
implemented before the acceptance and use of the new system.
b) Policy: The requirements and principles of the acceptance of new system shall be
clearly defined, formed into documents and through testing before the
construction of new information system. The upgrade of new system and the
update of new version shall be operated online as a product only after formal
testing and acceptance.
5.10. Supplier Relationship
5.10.1 Information Security Policy for Supplier Relationships
a) Purpose: To ensure that the information assets accessed by suppliers are
controlled to prevent the Company's information from being damaged or disclosed
as a result of suppliers’ access.
b) Policy: The Company shall ensure that the suppliers understand the information
security requirements and the security measures implemented and specify the
scope of the suppliers’ access to the Company's information resources. The
Company shall monitor the access of suppliers.
5.10.2 Ensuring the Quality of Third-party Service
a) Purpose: The Company shall ensure that third parties are able to maintain the
appropriate level of information security and service delivery in the process of
service in the premise that the Company conforms to the agreements of two sides.
b) Policy: The service delivered by third parties shall include agreed security plan,
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 11
service definitions and service management. To ensure that third parties maintain
adequate service capabilities and have a sustainability plan so that agreed services
can be maintained after a failure or disaster.
5.10.3 Audit on the Third-party Service Delivery
a) Purpose: To ensure that the service delivered by third parties conform to the
agreement requirements.
b) Policy: To check the requirements of the agreement, the consistency of the
implementation of the agreement to ensure that the delivery of services meet all
the requirements agreed upon with the third party.
5.11. Information Security Incident
5.11.1 Policy on Information Security Incident
a) Purpose: To minimize the damage on information security incident, monitor it and
make continual improvement.
b) Policy: Centralized control, statistics, analysis and corresponding measures shall
be taken on information security incident. The Company shall establish and
improve monitoring, reporting, warning, disposal, rectification mechanism of
information security incident.
5.12. Business Continuity
5.12.1 Policy on Business Continuity Management
a) Purpose: To prevent the interruption of business activities, to protect the critical
business process from major information system failure or natural disasters, and
to ensure timely recovery.
b) Policy: To identify potential hazards that could lead to interruptions of business, as
well as the possibility and impact of such interruptions, the security consequences
due to the interruptions; To formulate continual planning and implement
emergency drills to ensure timely recovery upon interruptions or failure in critical
business processes and to guarantee the availability of information.
5.13. Compliance with Legal and Legislative Requirements
5.13.1 Conforming to Legal and Legislative Requirements
a) Purpose: To ensure that the daily work conforms to legal and legislative
requirements.
b) Policy: To improve the requirements of establishing and identifying of relevant
laws and regulations in information security through the establishment of system
and to demonstrate them in all rules and regulations. To carry out trainings to
make the employees clear about relevant laws and regulations and perform them
at work.
Information Security Policy ISO/IEC27001:2013
<Confidential> eBaoTech Corporation 12
5.13.2 Information Security Independent Audit
a) Purpose: The Company shall regularly carry out internal information security
audit and management review to understand the implementation of information
security management system and identify the possibility of improving it.
b) Policy: The Company shall regularly (at least once a year) conduct internal audit of
information system security to assess compliance between the current
information system and the safety policies, relevant standards and technologies of
the Company. Meanwhile, the company shall prudently plan the audit
requirements and activities of the operating system, database and network
equipment check so as to minimize the effect on business. The Company shall
restrict access to information system security auditing tools to avoid disclosure of
sensitive information or possible misuse or damage of information systems.