Anti-terrorism factory inspection computer information system security management system

Anti-terrorism factory inspection computer information system security management system

General

Article 1 In order to strengthen the company's network management, clarify job responsibilities, standardize operating procedures, maintain the normal operation of the network, and ensure the security of the computer information system, this system is specially formulated in accordance with the relevant provisions of the "Regulations on the Security Protection of Computer Information Systems of the People's Republic of China" and combined with the actual situation of the company.

Article 2 Computer information system refers to a human-computer system composed of computers and their related and supporting equipment and facilities (including networks), which collects, processes, stores, transmits, retrieves and other processes information in accordance with certain application objectives and rules.

Article 3 The Information Center is responsible for the security management of computer information systems within the company.

Chapter 1 Network Management

Article 4: Abide by the company's rules and regulations, strictly implement the security and confidentiality system, and do not use the Internet to endanger the company's security, disclose company secrets, etc., do not create, browse, copy, or spread reactionary and obscene information, do not publish illegal and false information related to the company on the Internet, and do not disclose any privacy of the company on the Internet. It is strictly forbidden to conduct any hacking activities and similar sabotage activities through the Internet, and strictly control and prevent the intrusion of computer viruses.

Article 5 All work computers that have not been configured for security, and are not equipped with firewalls or anti-virus software, shall not be allowed to access the network. All computer terminal users shall regularly upgrade and update computer systems, anti-virus software, etc., and conduct virus checks regularly. Do not download and use untested and unidentified software, do not open unidentified emails, and do not use infected USB flash drives and other media at will.

Article 6 prohibits unauthorized users from accessing the company's computer network and accessing resources on the network, and prohibits unauthorized users from using BT, eMule and other downloading tools that occupy a large amount of bandwidth.

Article 7 No employee shall create or intentionally input or spread computer viruses or other harmful data, or use illegal means to copy, intercept or tamper with data in computer information systems.

Article 8 Company employees are prohibited from using scanning, monitoring, camouflage and other tools to maliciously attack networks and servers, illegally intrude into other people's networks and server systems, and use computers and networks to interfere with the normal work of others.

Article 9 Computer terminal users should keep their user accounts and passwords safe. It is strictly forbidden to disclose or borrow your account and password to others at will; it is strictly forbidden to log into the system without your real identity. Computer users should change their passwords regularly and use complex passwords.

Article 10 IP addresses are important resources of computer networks. Computer terminal users should use these resources under the planning of the Information Center and should not change them without authorization. In addition, some system services have an impact on the network. Computer terminal users should use them under the guidance of the Information Center and are prohibited from arbitrarily opening system services in the computer to ensure the smooth operation of the computer network.

Chapter 2 Equipment Management

Article 11 If a company employee needs to purchase IT equipment or accessories for work, he/she may apply to the Information Center. If there is equipment that meets the needs, the applicant shall fill in the "Information Equipment Application Form". If there are special requirements for equipment configuration due to work needs, it must be stated in the application form.

Article 12 All registered IT equipment shall be managed by the Information Center and posted with IT equipment cards. The IT equipment card is used as the identification of the corresponding equipment. Each end user is obliged to ensure that the card is clean and complete and shall not be covered, torn, painted, etc.

Article 13 The principle of "whoever uses it is responsible" shall be implemented for the security management of IT equipment (the responsibility for public equipment shall be implemented at the department level). In principle, all equipment purchased by subsidiaries or cooperative units shall be the responsibility of the branch or cooperative unit, but if necessary, the Information Center can assist in handling it.

Article 14 It is strictly prohibited to use counterfeit and shoddy products; it is strictly prohibited to connect external power switches and sockets without authorization; it is strictly prohibited to move and install and disassemble various equipment and other auxiliary equipment without authorization; it is strictly prohibited to ask others to repair without authorization; it is strictly prohibited to adjust the arrangements of the internal computer information system of the department without authorization.

Article 15 Issues such as equipment hardware or reinstalling the operating system shall be handled by the Information Center.

Article 16 Originally purchased IT equipment shall not be purchased again within the prescribed service life in principle. After reaching the prescribed service life, the Information Center shall review and handle it together with relevant departments. During the prescribed service life, if the computer terminal user is transferred or resigns due to work needs, he/she shall make a change record in the Information Center if he/she needs to continue to use the computer; if he/she does not continue to use the computer, the department leader shall supervise the responsible person to return the computer and related equipment to the Information Center in a timely manner, and the Information Center shall dispose of it again.

Article 17 If the equipment fails and cannot be repaired or the repair cost is too high, and it meets the scrapping conditions, the IT equipment terminal user shall submit an application and fill in the "IT Equipment Scrapping Application Form", which shall be signed by the manager of the relevant department and reported to the Information Center. After the Information Center appraises the equipment's service life and maintenance status, the scrapped equipment will be handed over to the relevant department for processing. If the scrapped equipment can be sold, the recovered funds will be handed over to the company's financial department for accounting. At the same time, the Information Center will register and archive the scrapped equipment.

Chapter 3 Data Management

Article 18 If the data in the computer of the terminal user involves company secrets, a password should be set for the computer or the file should be encrypted; any data or files involving company secrets shall not be transferred in any form unless required for work, and shall not be disclosed to others. The department manager of the employee who leaves the original job shall be responsible for collecting and preserving all his/her work data.

Article 19 Important data within the scope of work (the degree of importance shall be determined by the managers of each department) shall be regularly updated and backed up by computer terminal users and submitted to the head of the department, who shall be responsible for preservation. Within 10 days after the beginning of a quarter, the managers of each department shall submit the work data of the previous quarter of their department to the Administration and Human Resources Department for collection and unified storage on magnetic media or CDs.

Article 20 Computer terminal users must store valuable data on disks other than the system disk (the hard disk partition where the operating system is located, usually the C drive). If a computer information system fails, the user should contact the information center in a timely manner and take measures to protect data security.

Article 21: Duplicate copies of important data should be prepared and stored in different locations. Data stored on magnetic media or CDs should be checked and copied regularly to prevent data loss due to damage to the magnetic media. Anti-magnetic, fire-proof, moisture-proof and dust-proof measures must be taken.

Chapter 4 Operation Management

Article 22: All professional software related to business is the responsibility of the user. It is strictly forbidden to use the computer for things unrelated to work; it is strictly forbidden for external personnel other than maintenance personnel to operate various equipment; it is strictly forbidden for non-information center personnel to change the equipment configuration at will.

Article 23 The Information Center will provide targeted training on employees' computer application skills on a regular or irregular basis, and the training results will be included in the employee performance appraisal; the Information Center will collect common computer information system faults and troubleshooting methods and compile them into a book for the company's employees to study and refer to.

Article 24 When computer terminal users encounter computer information system problems at work, they should first learn to handle them by themselves or refer to the manual. If they encounter a problem that is not included in the manual or has not been discussed in training, they should contact the information center or software development unit or hardware supplier to resolve the problem as soon as possible.

Chapter 5 Website Management

Article 25 The company's website is provided with technical support and backend management by the Information Center, and the company's relevant departments provide reviewed written and electronic website construction materials.

(I) Emergency measures when illegal speech appears on websites or web pages

1. The information content of websites and web pages is closely monitored by the information center staff at all times.

2. When illegal information is discovered online, the responsible personnel should immediately report the situation to the department leader. In urgent cases, deletion and other processing measures should be taken first, and then the process should be followed.

3. Upon receiving the notification, the website personnel shall immediately clean up the illegal information, strengthen security measures, and put the website pages back into use.

4. The website responsible person should properly preserve relevant records and logs or inspection records.

(II) Emergency measures in case of hacker attacks

1. When the content of a web page is tampered with, or when a hacker is discovered to be attacking through the company's network firewall, the attacked server and other devices should be disconnected from the network first, and the situation should be reported to the superior.

2. The website manager will immediately restore and rebuild the damaged system.

(III) Virus safety emergency response measures

1. When a computer is found to be infected with a virus, it should be immediately isolated from the network.

2. Back up the data on the hard disk of the computer where the data is stored.

3. Enable anti-virus software to scan and remove viruses from other networked machines.

4. If you find that the antivirus software is unable to remove the virus, you should report it to your superior immediately.

5. After the website manager confirms that the virus cannot be detected and killed, he/she should make relevant records and immediately contact relevant technical personnel to quickly study and solve the problem.

6. If the device infected with the virus is a server or host system, with the consent of the superior, the server should be disconnected immediately and the client personnel should be informed to perform virus disinfection on the client machine.

(IV) Emergency measures for software systems subject to destructive attacks

1. Important software systems such as OA must be backed up at ordinary times. The data corresponding to the software system must be backed up for multiple days and saved on different machines.

2. If you find that the software is damaged or not running properly, you should report it to the information center staff immediately.

3. Information center personnel immediately restore the software system and data.

(V) Database security emergency measures

1. Each database system must prepare at least two database backups.

2. Once the database crashes, it should be reported to the superior immediately, and the users in each department should be notified to postpone uploading and reporting data.

3. Information center personnel should maintain the host system. If they encounter any problems that cannot be solved, they should immediately report to their superiors and promptly notify professional technicians to handle the problem.

4. After the system is repaired, restore the data as required.

5. If there is a problem with the backup data, report it to your leader in a timely manner and contact the software developer to resolve it.

(VI) Equipment safety emergency measures

1. If any key equipment such as computers or servers is damaged, the information center staff should be notified immediately.

2. Information center staff should immediately find out the cause.

3. If it is possible to recover by itself, the damaged parts should be replaced with spare parts immediately.

4. If the device cannot be restored by itself, contact the equipment provider immediately and request a professional maintenance person to repair it.

5. If the equipment cannot be repaired immediately, you should report it to your superiors.

(VII) Emergency measures when key personnel are not on duty

1. For key positions, personnel reserves should be prepared to ensure that two people can perform one job.

2. Once a key personnel is absent from work, the first thing to do is to report to the superior leader.

3. The operation shall be carried out by other personnel of the Information Center after approval by superior leaders.

Chapter VI Penalty Measures

Article 26 If a computer terminal user downloads, installs or stores files not related to work without authorization, he shall be fined 10 yuan/100M (rounded up to 100M) for the first time according to the file size after verification, and the fine shall be multiples each time thereafter (20 yuan/100M for the second time, 40 yuan/100M for the third time, 80 yuan/100M for the fourth time, and so on). If a user in charge of the use of the computer downloads, installs or stores files not related to work without authorization, he shall be fined 10 yuan/100M (rounded up to 100M) for the first time according to the file size, and the fine shall be multiples each time thereafter (20 yuan/100M for the second time, 40 yuan/100M for the third time, 80 yuan/100M for the fourth time, and so on). If such a situation occurs more than three times (including three times), an administrative penalty shall be imposed.

Article 27 Anyone who commits any of the following acts shall be fined not less than RMB 50 and not more than RMB 500, depending on the severity of the circumstances.

(1) Creating or intentionally inputting or spreading computer viruses or other harmful data;

(2) Illegal copying, intercepting, or tampering with data in a computer information system that endangers the security of the computer information system;

(3) Conduct malicious attacks on networks and servers, invade other people's networks and server systems, and use computers and networks to interfere with other people's normal work;

(iv) access unauthorized files, systems, or change device settings;

(V) The applicant fails to submit the forms mentioned in Chapter 2 to the Information Center within one week after the equipment is used or scrapped;

(6) exchanging computers or related equipment with others without authorization;

(VII) Adjusting the arrangement of internal department computers without authorization and failing to file with the Information Center;

(VIII) During routine spot checks, job transfers, or when leaving the company, it is found that the computer configuration does not match the computer file, or that the IT equipment card has been torn, painted over, or covered up, etc.

(IX) Using company computers to do non-work related work outside of working hours;

(10) The same fault occurs multiple times and it is determined that the cause of the fault is due to personal reasons;

(11) Leaving the office for a long time (more than five hours) due to work needs or failing to shut down the computer without reason after get off work;

Article 28 If a computer terminal user damages equipment more than twice due to subjective improper operation or intentionally damages equipment, he shall pay compensation of 20% to 80% of the market value of the damaged equipment, depending on the severity of the circumstances, and shall be subject to administrative penalties.

Chapter VII Supplementary Provisions

Article 29 The following terms used in this system have the following meanings:

Equipment: refers to IT equipment such as laptops, desktop computers, printers, copiers, fax machines, scanners, etc. purchased to complete work.

Harmful data: refers to data related to computer information systems, containing programs that endanger the safe operation of computer information systems, or data that poses a hazard or potential threat to national and social public security.

Legal users: employees of the company who are authorized by the Information Center to use the company's network resources; the rest are illegal users.

Article 30 Computer terminal users should actively cooperate with the Information Center to jointly carry out computer information system security management.

Article 31 This system applies to the entire company and the Information Center of the President's Office is responsible for its interpretation and revision.

Article 32 This system shall be implemented from the date of its promulgation. Any original system that is inconsistent with this system shall be implemented in accordance with this system.

The above content is a detailed introduction to the anti-terrorism security management system for computer information systems. If you have any questions about this content or have any questions about the knowledge of factory inspection, you can click on the online customer service on the right side of the webpage, or you can communicate in detail with our seat experts by phone.