Information Security.doc

《Information Security.doc》由会员上传分享，免费在线阅读，更多相关内容在教育资源-天天文库。

InformationSecurityContentsSecondEditionPreface Chapter1GeneralPrinciplesChapter2CategoriesOfConfidentialInformationChapter3ManagementOfConfidentialInformationChapter4ManagementOfComputerInformationSystemChapter5LegalLiability,RewardsAndDisciplinarySanctionsChapter6Distribution,RevisionOfDGNSecurityOrdinancesResponsibilitiesandAuthoritiesOfSDSCAppendix1NoticesToSAEEmployees2ClassificationOfInformationAndIllustrationSecondeditionprefaceIthasbeenfiveyearssinceSAEDGNSecurityManualwasissuedinAugust1996bySDSC(SAEDNGSECURITYCOUCIL).Thehandbookhasplayedapositiveroleinincreasingemployees’securityawareness,urgingeachdepartmenttoestablishrelevantrulesandregulationsandprotectingcompany’ssecrets.However,withtherapiddevelopmentofinformationtechnology,theexistingregulationsareobviouslybehindthetimes,soweupdatethehandbookbyaddinganddeletingsomeitems.Inviewofinformationsecurityoncomputer,wespeciallyaddinthechapterManagementofcomputerinformationsystemtomeetthenewrequirements.Confidentialinformationisthelifebloodofacompanybecauseitiscomprisedofthestrategiesandtacticsthatbringthecompanymarketsharesandeconomicbenefits.Disclosureofacompany’sconfidentialinformationcanbefatal.Tosecurecorpany’sinformationisthusamatterofprimaryimportance,especiallyintheinformationage.We hopethatthesecondeditionsecurityordinanceswillhelpincreaseourstaff’sawarenessofinformationprotectionandhelpeachdepartmenttoestablishsoundinformationprotectionsystemtokeepconfidentialinformationsecure.Anysuggestiontothehandbookwillbeappreciated!ThanksforsupportandcooperationSAEDongguanSecurityCouncil8/15/2001Chapter1GeneralPrinciplesArticle1Inordertostrengthenthecontrolovercompany’sconfidentialinformation,toguaranteeconfidentialinformationsafety,topreventcompany’sconfidentialinformationfrombeingdisclosed,theseordinancesareherebyenactedaccordingtorelevantlawsandregulationsArticle2“confidentialinformation”asreferredtohereinmeansinformationwhichisnotknownpubliclyandcanprovidecompanywithaneconomicbenefit(orintangiblebenefit).Itincludesproductionplan,operationplan,resultsandrecordsofproductiondevelopmentandexperiments,productiontechnique,financialstatement,personnelfile,finalreport,techniqueandformula,production,prototype,materialssuppliedbycustomersorsuppliers.Carriersofinformationincludecharacters,data,video,picture,drawing,statement,disc,tape,software,etc.Article3Everyemployeehastherightsandobligationtoprotectcompany’sconfidentialinformationandmustobeyrelevantrulesandregulations.Chapter2ClassificationGuideArticle4:ClassificationofconfidentialinformationisdecidedbyaddresseraccordingtoClassificationGuideandapprovedbythedirectorinwhosedepartmenttheaddresserworks.Ifnecessary,SDSCcanmakesuggestionsforrevision. Article5:Company’confidentialinformationisclassifiedasA,B,CclassClassA:ConfidentialSecretWhichhasveryimportanteffectsonthesurvival,development,oreconomicbenefitsofthecompanyIncluding:Tactics,plansregardingthedevelopmentofcompany.MaterialsregardingkeyprocessesFinancialstatementsMaterialsregardinghumanresourcesClassB:Confidentialwhichhaveaneffectonthesurvival,development,oreconomicbenefitsofthecompanyIncludingOperationreportsofeachdepartmentExperiments,techniquereports,dataanalysesMaterialssuppliedbycustomersorsuppliesthatshouldbekeptsecret.Contractssignedwithsuppliers,databases,etcClassC:InternalOnlyMaterialsregardingthegeneralproductionandmanagement,whichcontainnokeytechnique.Forexample:systemicqualitydocumentsmaterialsregardinggeneralproductiontechniquetrainingmaterialsordinarymaterialsfromcustomersandsuppliersArticle6:EachdepartmentisallowedtodecideclassificationandtimelimitofitsownconfidentialinformationaccordingtotheClassificationGuideandpotentialvaluesofinformation.ForclassAandBconfidentialdocuments,chopshouldbemarkedonthecoverandeverypage;ForclassC,markonthecover“SAEInternalOnly” Chapter3ManagementofInformationArticle7:Eachdepartmentisresponsibleforthemanagementofitsownsecrets,gradingconfidentialinformationanddeterminingcontrolrangeaccordingtotheactualsituation,andestablishinganydetailedrulesArticle8:Eachdepartmentshouldputrelevantconfidentialinformationundereffectivecontrol.Personsresponsibleforthemanagementofconfidentialinformationshouldtaketrainingbeforeholdingthepost.Eachdepartmentshoulddevelopaninventoryofconfidentialinformationandkeeparecordoftheconfidentialinformationdistributed,copiedordestroyed.Article9:Eachdepartmentshouldensurethatemployeeswhohaveaccesstocompany’sconfidentialinformationhavesignedagreementsacknowledgingtheirobligationstotreattheinformationassecret.Eachdepartmentcanadoptthecontentandformoftheagreementprovidedbythecompanyormakedifferentagreement,butthefollowingitemsshouldbeincluded:1)contentandscopeofsecrecy2)timelimitofsecrecy3)rightsandobligationsofbothparties4)responsibilitiesArticle10ThecontroloverclassAandBinformation10.1Theaddressershouldwritethenameofaddresseeonthecoverofconfidentialdocumentandtheaddresseemustsignthedocument.10.2InventoriesofallclassA,Bdocumentsshouldbemadeanddocumentswithtimelimitshouldbedestroyedonexpiry.10.3)Circulation,duplicationofconfidentialinformationshouldbeapprovedbythe responsiblepersonandberecorded(classAmustbeapprovedbydirector)10.1PutclassA/Bdocumentinspecialfilebagandsealitbeforedelivery10.2NotallowedtotakeclassA/Bdocumentsoffthecompany’ssiteorleaveonthedesktop/filerack.Alwaysputinalockedcabinetafteruse.10.3Eachdepartmentshouldgradeplacessuchasworkshop,office,siteforscienceresearchaccordingtotheirconfidentiality.10.4Obsoleteconfidentialdocumentsshouldbedestroyedbyadesignatedpersonorreturnedtotheaddresser.Don’tuseforotherpurposesorthrowawaywithoutdisposalArticle11Externalcontroloverconfidentialdocuments11.1Inexternalcommunicationandcooperation,eveniftheotherpartyasksforconfidentialinformationwithgoodreason,approvalshouldbegivenbytheresponsiblepersonfirst.11.2Whenthethirdpartyvisitsthecompany,besuretoregisterinthereceptioncenterandreceptionpersonnelshouldsettherouteofvisitandaccompanythevisitorsalltheway.Neverleavethevisitorsaloneinworkshoporoffice.Article12Ifanyleakagehappens,takeremedyatonceandreportittothesupervisorandSDSCChapter4ManagementofcomputerinformationsystemArticle13systemofmaintainingsecrecy13.1Company’sconfidentialinformationsystemshouldnotbeconnectedwiththeoutsidenetdirectly.13.2Hewhologsontotheinternetshouldtaketheresponsibilityforleakageofinformation.Takingconfidentialinformationfromorsendingconfidentialinformationtocompany’sconfidentialinformationsystemshouldgetapprovedfirst. 13.3Employeesshouldobeyrelevantlawswhenexchanginginformationbyemail.Notallowedtodeliver,forwardorcopycompany’sortheStates’confidentialinformationbyemail.Article14securitysystemEverydepartmentthathasaccesstocompany’sconfidentialinformationsystemshouldestablishsoundsecuritysystem,togetherwiththedepartmentinchargeofinformationsystem1.regulationsregardingcheckingofinformationreleaseandregister2.regulationsregardingthestoring,deletingandcopyingofinformation3.regulationsregardingvirusdetectingandintranetsafetychecking4.regulationsregardingthereportofviolation5.regulationsregardingtheregisterofaccountnumberusingandoperationlimits6.regulationsregardingsafetyeducationandtraining7.regulationsregardingothersafetymanagementArticle15Themonitoringofprotectionofsecret15.1Personnelresponsibleforsupervisioninadepartmentshouldurgethosewhoareresponsibleforthemanagementofconfidentialinformationtoestablishsoundrulesandregulations.15.2Thepersonresponsibleforsupervisioninadepartmentshouldregularlycheckifcomputersystemiskeptsecureandinvestigateanyviolationofsecurityordinances.15.3Eachdepartmentshouldassistthedepartmentresponsibleforsupervisionwithregularchecking,andinvestigatinganyviolationofsecurityordinances.Article16Thepersoninchargeofconfidentialinformationineachdepartmentshouldorganizetoinvestigateandurgerelevantdepartmentstotakeimmediateremedialactiononreceiptofreportorfindingleakageofinformation Chapter5LegalLiability,RewardsAndDisciplinarySanctionsArticle17Legalliability:AnyofthefollowingactionswillberegardedasinfringementonSAEconfidentialinformation1.Obtaincompany’sconfidentialinformationbyunlawfulmeansasstealing,lureorthreatening2.Disclose,useorallowotherstousetheabovemeanstoobtaincompany’sconfidentialinformation3.Breakagreementorviolatecompany’sregulationstodisclose,useorallowotherstousecompany’sconfidentialinformation4.Peeporcopycompany’sinformationwithoutpermission5.Damage,destroyorlosecompany’sconfidentialinformation6.Disclosecompany’sconfidentialinformationandcausedamage7.Procurecompany’sconfidentialinformationforthepurposeofprivateinterests.8.Usepowertoobtaincompany’sconfidentialinformation9.Disclosecompany’sconfidentialinformationtothosewhohavenoaccess.10.OthersArticle18Thosewhoinfringeoncompany’sconfidentialinformationaresupposedtobebroughttothecourtArticle19Tothosewhoinfringeoncompany’sconfidentialinformationbutnotbeseriousenoughtobebroughttocourt,thecompanywillgiveadministrationdisciplinarymeasuressuchasdismissal,fine,confiscation.Article20Thecompanygivesrewardstothosewhoprotectcompany’sconfidentialinformation.Applicationforrewardshouldmadebysupervisor(manager),checkedandapprovedbySDSC Thecompanygivesrewardstothefollowingpersonnel:Thosewhohavethecouragetoprotectorkeepcompany’sconfidentialinformationinanemergencyThosewhoreportthedisclosureandinfringementofcompany’sconfidentialinformationThosewhotakeremedialactionswhenfindsthatothersaredisclosingcompany’sconfidentialinformationThosewhodon’tyieldtoanyonethatattemptstoobtainconfidentialinformationbypower.Chapter6Distribution,RevisionOfDGNSecretOrdinances.ResponsibilitiesAndAuthoritiesOfSDSCArticle21Authorizedbycompany’sPresident,SDSCisresponsibleforenacting,distributingandupdatingofSAEDGNSecurityHandbookwithitsofficeinP&Adepartmenttemporarily.Article22Onbehalfofthecompany,SDSCisinchargeofmonitoring,checkingofthemanagementofeachdepartment.SecurityOrdinancesgointoeffectfromthedateofreleaseAppendix1NoticesToSAEEmployees2ClassificationOfInformationAndIllustrationNoticestoSAEEmployees 1.Everyonemustobeyrulesandregulationsonconfidentialinformation.2.ConfidentialinformationisgradedasclassA,B,C.ClassA,Bdocumentsmustbemarkedwithchop.ClassCshouldbemarkedwithwords”SAEInternalOnly”3.Carriersofconfidentialinformation(suchascharacter,drawing,statement,software,video)mustn’tbeshowntopublicandmustn’tbetakenoffthecompany’ssitewithoutpermission.4.Anyonemustn’tread,copyconfidentialdocumentswithoutpermission.Ifnecessary,getpermissionfromthecompanyfirst.5.Eachdepartmentshouldassignapersontobeinchargeoftyping,copying,receivingandkeepingofconfidentialinformationandreporthisorhernametoSDSCtokeeponfile.andeachdepartmentshoulddesignateaplaceforconfidentialinformation.Themanagerofdepartmentshouldarrangethetransferbeforetheholder/keeperquitshisorherjob.6.UseredconfidentialbagtodeliverclassAorB.Markthegradeatthetopwhensendingconfidentialinformationbyemailorfax.7.Notallowedtoprovidecompany’sinformationforcustomer,supplier,etc.Ifnecessary,approvedbymanagerofdepartmentandregister8.Obsoleteandoutdatedconfidentialinformationshouldbedestroyedaccordingtorelevantprocedure.Don’treusethosepaperwithconfidentialinformation.9.Putawayconfidentialdocumentsafteruse,don’tleaveonthedesktop,fileholder.QuittheNetafterusingcomputerandtakeoutthediscandputinasafeplace.10.Thosewhodisclosecompany’sconfidentialinformationwillbegivenpunishmentasperrelevantregulations. ClassificationOfInformationAndIllustrationGradeClassificationGuideControlNotesA(ConfidentialSecret)InformationWhichhasveryimportanteffectsonthesurvival,development,oreconomicbenefitsofthecompanyIncluding:Tactics,plansregardingthedevelopmentofcompany.MaterialsregardingkeyprocessesFinancialstatementsMaterialsregardinghumanresourceschopshouldbemarkedonthecoverandeverypage;Circulationandduplicationmustbeapprovedbydirector)Makeaninventory;Alwayskeepinredfilebag;Destroyonexpiry;Lockinasafecabinet.B(confidential)Informationwhichhasaneffectonthesurvival,development,oreconomicbenefitsofthecompanyIncludingOperationreportsofeachdepartmentExperiments,techniquereports,dataanalysesMaterialssuppliedbycustomersorsuppliesContractssignedwithsuppliers,databases,etcChopshouldbemarkedonthecover;CirculationandduplicationmustbeapprovedbytheresponsiblepersonMakeaninventory;Alwayskeepinredfilebag;Destroyonexpiry;Lockinasafecabinet;C(InternalOnly)ClassC:InternalOnlymaterialsregardingthegeneralproductionandmanagement,containingnokeytechnique.Forexample:systemicqualitydocumentsmaterialsregardinggeneralproductiontechniquestrainingmaterialsordinarymaterialsfromcustomersandsuppliersForclassC,markonthecover“SAEInternalOnly”