信息安全管理制度

信息安全管理制度

承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ ‎ 文 件 更 改 履 历 The text was changed to the calendar 修订版本 release version ‎ 更 　改 　内　容 To improve the internal capacity 修订者 expurgator 生效日期 availability date ‎ ‎ 文　件　会　签　栏 ‎ Document Signature 修订版本Revision 品管部QCD ‎ ‎□‎ 技术部TD ‎ ‎□‎ 营销部MKT ‎ ‎ □‎ 物流部Logistics D □‎ 开发部Develop D □‎ 采购部Purchasing D □‎ 管理部Management □‎ 压铸部Die Casting D □‎ 机加部Machine Addition D □‎ 财务部ACC D ‎ ‎ □‎ A 编制:‎ prepared by :‎ 审核：‎ Review :‎ 批准：‎ Approved :‎ 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ 一、信息安全指导方针 I. Information Security Guidelines 保障信息安全，创造用户价值，切实推行安全管理，积极预防风险，完善控制措施，信息安全，人人有责，不断提高顾客满意度。‎ Safeguarding information security, creating user value, effectively implementing safety management, proactively preventing risks, improving control measures, information security, and everyone’s responsibility to continuously improve customer satisfaction.‎ 二、计算机设备管理制度 ‎ Ⅱ.Computer equipment management system ‎1、计算机的使用部门要保持清洁、安全、良好的计算机设备工作环境，禁止在计算机应用环境中放置易燃、易爆、强腐蚀、强磁性等有害计算机设备安全的物品。 ‎ ‎1. The computer use department should maintain a clean, safe, and good working environment for computer equipment. It is forbidden to place objects that are flammable, explosive, corrosive, strong magnetic, or other hazardous computer equipment safe in a computer application environment. 2、 非本单位技术人员对我单位的设备、系统等进行维修、维护时，必须由本单位相关技术人员现场全程监督。计算机设备送外维修，须经有关部门负责人批准。 ‎ ‎   2. When the equipment and systems of our company are not repaired or maintained by a non-general technical personnel, they must be supervised by the relevant technical personnel of the unit at the scene. Computer equipment sent out for repairs must be approved by the person in charge of the relevant department.‎ ‎ 3、 严格遵守计算机设备使用、开机、关机等安全操作规程和正确的使用方法。任何人不允许带电插拨计算机外部设备接口，计算机出现故障时应及时向电脑负责部门报告，不允许私自处理或找非本单位技术人员进行维修及操作。 ‎ ‎     3, strictly abide by the use of computer equipment, boot, shutdown and 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ ‎ other safe operating procedures and the correct use of methods. No one is allowed to plug in the computer's external device interface. When a computer malfunctions, it should report to the computer responsible department in a timely manner, and it is not allowed to handle or find the non-owner technical personnel to perform maintenance and operation. 三、操作员安全管理制度 ‎ Ⅲ.The operator safety management system （一）操作代码是进入各类应用系统进行业务操作、分级对数据存取进行控制的代码。操作代码分为系统管理代码和一般操作代码。代码的设置根据不同应用系统的要求及岗位职责而设置； ‎ ‎(1) The operation code is a code that enters various types of application systems for business operations and controls data access hierarchically. The operation code is divided into system management code and general operation code. Code settings are set according to the requirements of different application systems and job responsibilities; （二）系统管理操作代码的设置与管理 ‎ ‎(2) System Management Operation Code Setting and Management 1、系统管理操作代码必须经过经营管理者授权取得； ‎ ‎1. The system management operation code must be authorized by the operation manager;‎ ‎2、系统管理员负责各项应用系统的环境生成、维护，负责一般操作代码的生成和维护，负 责故障恢复等管理及维护； ‎ ‎2. The system administrator is responsible for the generation and maintenance of the environment of each application system, responsible for the generation and maintenance of general operation codes, and responsible for the management and maintenance of fault recovery; 3、系统管理员对业务系统进行数据整理、故障恢复等操作，必须有其上级授权； ‎ 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ ‎3. The system administrator must perform the data sorting and fault recovery operations of the business system and must have its superior authority. 4、系统管理员不得使用他人操作代码进行业务操作； ‎ ‎4, the system administrator must not use other people's operating code for business operations; 5、系统管理员调离岗位，上级管理员（或相关负责人）应及时注销其代码并生成新的系统管理员代码； ‎ ‎5, the system administrator transferred from the position, the superior administrator (or the relevant person in charge) should promptly cancel its code and generate a new system administrator code;‎ ‎（三）一般操作代码的设置与管理 ‎ ‎(3) General operation code setting and management 1、一般操作码由系统管理员根据各类应用系统操作要求生成，应按每操作用户一码设置。‎ ‎1. The general operation code is generated by the system administrator according to the operation requirements of various application systems, and should be set by one code per operation user. 2、操作员不得使用他人代码进行业务操作。 ‎ ‎   2. The operator must not use other people's code for business operations. 3、操作员调离岗位，系统管理员应及时注销其代码并生成新的操作员代码。 ‎ ‎  3, the operator transferred from the post, the system administrator should promptly cancel its code and generate a new operator code. 四、密码与权限管理制度 ‎ Ⅳ.Password and authority management system 1、 ‎ 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ 密码设置应具有安全性、保密性，不能使用简单的代码和标记。密码是保护系统和数据安全的控制代码，也是保护用户自身权益的控制代码。密码分设为用户密码和操作密码，用户密码是登陆系统时所设的密码，操作密码是进入各应用系统的操作员密码。密码设置不应是名字、生日，重复、顺序、规律数字等容易猜测的数字和字符串； ‎ ‎1. Password settings should be secure and confidential. Simple codes and tags cannot be used. The password is the control code for protecting the system and data security, and it is also the control code for protecting the user's own rights and interests. The password is divided into a user password and an operation password. The user password is a password set when logging in to the system. The operation password is an operator password entered into each application system. Password settings should not be names, birthdays, repetitions, sequences, regular numbers and other easily guessable numbers and strings; 2、密码应定期修改，间隔时间不得超过一个月，如发现或怀疑密码遗失或泄漏应立即修改，并在相应登记簿记录用户名、修改时间、修改人等内容。 ‎ ‎    2. The password should be revised regularly. The interval time should not exceed one month. If you find or suspect that the password is lost or leaked, you should immediately modify it and record the user name, modification time, amendments, etc. in the corresponding register. 3、服务器、路由器等重要设备的超级用户密码由运行机构负责人指定专人（不参与系统开发和维护的人员）设置和管理，并由密码设置人员将密码装入密码信封，在骑缝处加盖个人名章或签字后交给密码管理人员存档并登记。如遇特殊情况需要启用封存的密码，必须经过相关部门负责人同意，由密码使用人员向密码管理人员索取，使用完毕后，须立即更改并封存，同时在“密码管理登记簿”中登记。   ‎ ‎ 3. The super user passwords of important devices such as servers and routers are designated and managed by the person in charge of the operating organization (persons who do not participate in system development and maintenance), and the password setting personnel will put the passwords into the password envelopes and capped at the seams. The personal badge or signature is submitted to the password manager for registration and registration. In case of special circumstances, the password for ‎ 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ opening the archive must be approved by the person in charge of the relevant department. The password user should request it from the password manager. After use, the password must be immediately changed and sealed, and registered in the “Password Management Register”. 4、系统维护用户的密码应至少由两人共同设置、保管和使用。 ‎ ‎   4. The system maintenance user password should be set up, kept and used by at least two people. 5、有关密码授权工作人员调离岗位，有关部门负责人须指定专人接替并对密码立即修改或用户删除，同时在“密码管理登记簿”中登记。 ‎ ‎    5, the relevant password authorized staff to leave the post, the person in charge of the relevant department must appoint a special person to replace and password immediately modify or delete the user, at the same time registered in the "Password Management Register". 五、数据安全管理制度 ‎ V. Data Security Management System 1、 存放备份数据的介质必须具有明确的标识。备份数据必须异地存放，并明确落实异地备份数据的管理职责; ‎ ‎1. The media on which the backup data is stored must have a clear identity. Backup data must be stored offsite, and clearly implement the management responsibility of backup data in different places;. 2、 注意计算机重要信息资料和数据存储介质的存放、运输安全和保密管理，保证存储介质的物理安全。 ‎ ‎  2. Pay attention to the storage, transportation security and confidentiality management of important computer information and data storage media to ensure the physical security of the storage media. 3、 ‎ 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ 任何非应用性业务数据的使用及存放数据的设备或介质的调拨、转让、废弃或销毁必须严格按照程序进行逐级审批，以保证备份数据安全完整。 ‎ ‎   3. The transfer, transfer, disposal or destruction of any non-application business data or equipment or medium for storing data must be strictly examined and approved in stages to ensure that the backup data is secure and complete.‎ ‎4、数据恢复前，必须对原环境的数据进行备份，防止有用数据的丢失。数据恢复过程中要严格按照数据恢复手册执行，出现问题时由技术部门进行现场技术支持。数据恢复后，必须进行验证、确认，确保数据恢复的完整性和可用性。 ‎ ‎4. Before data recovery, the original environment data must be backed up to prevent the loss of useful data. During the data recovery process, the data recovery manual must be strictly followed, and the technical department will provide on-site technical support when problems arise. After the data is restored, it must be verified and confirmed to ensure the integrity and availability of the data recovery. 5、数据清理前必须对数据进行备份，在确认备份正确后方可进行清理操作。历次清理前的备份数据要根据备份策略进行定期保存或永久保存，并确保可以随时使用。数据清理的实施应避开业务高峰期，避免对联机业务运行造成影响。 ‎ ‎   5. The data must be backed up before the data is cleaned up. After confirming that the backup is correct, it can be cleaned. The backup data before the previous cleanup is periodically saved or permanently saved according to the backup strategy, and it can be used at any time. The implementation of data clean-up should avoid peak business hours and avoid impact on online business operations. 6、需要长期保存的数据，数据管理部门需与相关部门制定转存方案，根据转存方案和查询使用方法要在介质有效期内进行转存，防止存储介质过期失效，通过有效的查询、使用方法保证数据的完整性和可用性。转存的数据必须有详细的文档记录。 ‎ ‎   6. Data that needs long-term preservation, the data management department needs to work with related departments to develop a transfer plan. According to the transfer plan and query usage method, the transfer must be performed within the medium 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ ‎ validity period to prevent the storage media from expired, and through effective query and use methods. Ensure data integrity and availability. The transferred data must have detailed documentation. 7、非本单位技术人员对本公司的设备、系统等进行维修、维护时，必须由本公司相关技术人员现场全程监督。计算机设备送外维修，须经设备管理机构负责人批准。送修前，需将设备存储介质内应用软件和数据等涉经营管理的信息备份后删除，并进行登记。对修复的设备，设备维修人员应对设备进行验收、病毒检测和登记。‎ ‎    7. When the technical personnel other than the company perform repairs and maintenance on the company's equipment and systems, it must be supervised by the relevant technical personnel of the company at the scene. Computer equipment sent out for maintenance must be approved by the person in charge of the equipment management agency. Before repair, you need to back up and register the application software and data related to the operation and management of the device storage media. For the repaired equipment, the equipment maintenance personnel should check the equipment, check and record the virus. 8、管理部门应对报废设备中存有的程序、数据资料进行备份后清除，并妥善处理废弃无用的资料和介质，防止泄密。‎ ‎ 8. The management department shall back up the programs and data stored in the end-of-life equipment and then remove them, and properly dispose of wasteful data and media to prevent leakage. 9、运行维护部门需指定专人负责计算机病毒的防范工作，建立本单位的计算机病毒防治管理制度，经常进行计算机病毒检查，发现病毒及时清除。 ‎ ‎    9. The operation and maintenance department needs to appoint someone to take care of computer virus prevention, establish a computer virus control system for this unit, conduct regular computer virus checks, and find that the virus is cleared in time. ‎ 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎ ‎ 10、 营业用计算机未经有关部门允许不准安装其它软件、不准使用来历不明的载体（包括软盘、光盘、移动硬盘等）。 ‎ ‎ 10. The computer for business use is not allowed to install other software without the permission of relevant departments, and carriers of unknown origin (including floppy disks, optical disks, removable hard disks, etc.) shall not be used ‎ 承办部门:‎ Contractors:‎ IT部 IT department 信息安全管理制度 Information security management system 编号：‎ Number:‎ ‎ ‎ 编制:‎ Preparation:‎ ‎ ‎ 版本：‎ Version:‎ A 生效日期:‎ Effective date:‎ ‎ ‎ 页次:‎ Pages:‎ 10/9‎