Information Security
Vision
Become a partner with business integration capabilities within the group and one of the key promoters to achieve business goals.
Purpose
TMP is to strengthen information security management, to ensure the confidentiality, integrity, and availability of the information and information assets it belongs to, to provide an informal environment for the continuous operation of the company's information business, and to meet the requirements of relevant laws and regulations, to prevent it from being subject to an insider, Deliberate or accidental external threats, this policy specification is specially formulated.
Scope
Information security management covers 14 management items to avoid the occurrence of improper use, leakage, tampering, and destruction of data due to factors such as human negligence, and intentional or natural disasters, which will bring various possible risks and harms to the company. Management matters are as follows:
• Formulation and evaluation of information security policy.
•Information Security organization.
• HR security.
• Asset Management.
• Access control security.
• Password security.
• Physical and environmental security.
• Job security.
• Communication security.
• Security of system acquisition, development, and maintenance.
• Supplier relationship management.
• Response and handling of information security incidents.
• Operational continuity management.
• Conformity between relevant laws and regulations and policies of the implementing unit.
• Formulation and evaluation of information security policy.
• Information Security organization.
• HR Security.
• Asset Management.
• Access control security.
• Password security.
• Physical and environmental security.
• Job security.
• Communication security.
• Security of system acquisition,development, and maintenance.
• Supplier relationship management.
• Response and handling of information security incidents.
• Operational continuity management.
• Conformity between relevant laws and regulaions and policies of the implementing unit.
Target
Cooperate with the requirements of the company's information security policy, consider the applicable information security requirements, and the results of risk assessment and risk treatment, and formulate the following information security goals::
• Protect the company's key business information from unauthorized access.
• Maintain the continuous operation of the core information system to ensure that the company has an information environment for the continuous operation of the business.
• Conduct information security education and training to promote personnel's awareness of information security and strengthen their awareness of related responsibilities.
Management structure
The company has set up an information department under the finance department, and the information department promotes information security policies and specific management plans. At present, the company assigns the information security committee to a professional team "Dingxin Computer Co., Ltd." to assist in the implementation. The projects include the purchase of firewalls, personal Computer anti-virus, server host anti-virus, system database backup NAS, regular hardware equipment maintenance, disaster recovery drill service, etc.
TMP organization chart
IT Security Control Measures
1.Regularly check the list of information assets and implement various control measures.
2.The company regularly implements information security publicity operations, and all recruits must sign a confidentiality agreement covering information security.
3.All employees of the company, subcontractors, and their third parties who perform related information business have the responsibility and obligation to protect the information assets they obtain or use from the company to prevent unauthorized access, tampering, destruction, or improper disclosure.
4.Important information systems or equipment should establish appropriate backup or monitoring mechanisms and conduct regular drills to maintain their availability.
5.Personal computers should install anti-virus software and regularly confirm the update of the virus code, and prohibit the use of unauthorized software.
6.Tongren account numbers, passwords, and permissions should be kept and used responsibly and replaced regularly.
7.Establish standard procedures for responding to and reporting information security incidents, to properly deal with information security incidents promptly and avoid further damage.
8.All personnel should abide by legal norms and information security policy requirements, and supervisors should supervise the implementation of the information security compliance system, and strengthen employees' awareness of information security and the concept of laws and regulations.
1.Regularly check the list of information assets and implement various control measures.
2.The company regularly implements information security publicity operations, and all recruits must sign a confidentiality agreement covering information security.
3.All employees of the company, subcontractors, and their third parties who perform related information business have the responsibility and obligation to protect the information assets they obtain or use from the company to prevent unauthorized access, tampering, destruction, or improper disclosure.
4.Important information systems or equipment should establish appropriate backup or monitoring mechanisms and conduct regular drills to maintain their availability.
5.Personal computers should install anti-virus software and regularly confirm the update of the virus code, and prohibit the use of unauthorized software.
6.Tongren account numbers, passwords, and permissions should be kept and used responsibly and replaced regularly.
7.Establish standard procedures for responding to and reporting information security incidents, to properly deal with information security incidents promptly and avoid further damage.
8.All personnel should abide by legal norms and information security policy requirements, and supervisors should supervise the implementation of the information security compliance system, and strengthen employees' awareness of information security and the concept of laws and regulations.
Continuing Operations Exercise Execution Plan
In order to ensure that the company's key operating systems or activities are damaged, improperly used, and other major accidents that endanger information security, it can quickly carry out disaster recovery and respond in the shortest time to ensure the continuous operation of the core business. Dingxin Computer Co., Ltd.” to carry out the “Continuous Operation Exercise Execution Plan”.
The continuous operation drill is an important risk control action for the company's IT maintenance so that the company can respond to any form of disaster. The purpose is to prove that the company has implemented the continuous operation drill and strives to fulfill the responsibility of a good IT manager. During the implementation process, internal information colleagues have fully cooperated and learned Responding to skills, and then reducing the risk and impact of various disasters, in order to effectively ensure the effectiveness of continuous operation control measures, the company conducts regular drills.
On January 16, 2020, the company's information personnel, Dingxin senior system engineers, and Dingxin continuous operation consultants jointly completed the "company continuous operation drill", and obtained the "Dingxin Computer Co., Ltd." on February 5, 2020. "Continuing Operations Exercise Execution Report".
The scenario of the continuous operation drill considers factors such as the company's information environment and characteristics, past experience, and related internal and external issues, and proposes the following risks as a scenario for the drill:
• Internet outage
• power outage
• System sector exception
• System and database poisoning
• Physical machine hardware failure makes the service unavailable.
• Data loss due to storage space corruption The hard disk sector is damaged, resulting in data loss.
