system effectiveness measurement management policy

<Confidential> eBaoTech Corporation

<Confidential>

eBao ISO/IEC 27001:2013

System Effectiveness Measurement Management Policy eBaoTech-ISMS-02-016

eBaoTech Corporation

<Confidential> eBaoTech Corporation 1

Copyright and Confidentiality Notice

© Copyright eBaoTech Corporation

All rights reserved. Reproduction in whole or in parts is prohibited without the

prior written consent of the copyright owner.

The information contained in this document is strictly confidential and must not

be disclosed to any other person by the client or by any of its employees without

the prior written consent of copyright owner.

Client is permitted to disclose the information only to those of its employees

and/or professional advisors who need to have access to it and client will notify

such employees and/or professional advisors of the terms of this notice.

For any questions or remarks on this document, please contact eBaoTech

Corporation +86 (21) -61407777.


Contents 1. Purpose ......................................................................................................................................................... 1

2. Scope .............................................................................................................................................................. 1

3. Terms and Definitions.............................................................................................................................. 1

4. Responsibilities .......................................................................................................................................... 1

4.1. Management Representative ..................................................................................................................... 1 4.2. MIS Department ............................................................................................................................................... 1 4.3. Departments ...................................................................................................................................................... 1

5. Procedures ................................................................................................................................................... 1

5.1. General Requirements .................................................................................................................................. 1 5.2. Measurement Scope ....................................................................................................................................... 2 5.3. Working Procedures ...................................................................................................................................... 2 5.4. Continual Improvement ............................................................................................................................... 2

APPENDIX I. Control Measures Effectiveness Measurement Form ................................................. 3


1. Purpose

The policy is specifically formulated to continuously improve the implementation of

information security work of eBaoTech Corporation (hereinafter referred to as

"Company") to quantitatively evaluate the implementation effects of information

security control measures, and to measure the overall effectiveness and continuous

improvement ability of information security management system.

2. Scope

For the effectiveness measurement work of the information security management

system control measures, this document applies.

3. Terms and Definitions

None.

4. Responsibilities

4.1. Management Representative

Responsible for auditing the programs and target values of measure of effectiveness,

reviewing and approving the application of measure of effectiveness and evaluating

reports related to measure of effectiveness.

4.2. MIS Department

Responsible for organizing the formulation and maintenance of the programs and target

values of effectiveness measurement; organizing all departments to implement

effectiveness measurement and write relevant reports.

4.3. Departments

Responsible for providing true and effective data and materials for measure of

effectiveness; completing the work of measure of effectiveness within its responsibilities

coordinately.

5. Procedures

5.1. General Requirements

a) Effectiveness measurement of information security management system control

measures is an important guarantee mechanism to achieve the goal of Company's

information security management system, so the effectiveness measurement work

shall be closely integrated with information security policy to ensure that control

measures can be monitored and measured;


b) The effectiveness measurement work shall be implemented in accordance with the

principle of step-by-step and continuous improvement, and the measurement of

programs and target values shall be gradually improved.

5.2. Measurement Scope

a) The effectiveness measurement of control measures is mainly for all report

requirements and measurement programs of control measures adopted in the

information security management work(see Appendix I for specific indicators:

Statistical Table of Control Measures Effectiveness Measurement).

5.3. Working Procedures

a) MIS shall organize all departments to carry out the effectiveness measurement of

information security management system control measures before the annual

management review, and effectiveness measurement shall get approval from the

management representatives.

b) All departments shall accomplish the measurement of corresponding indicators in

accordance with the contents and time requirement of Appendix I (Statistical

Table of Control Measures Effectiveness Measurement) and timely report on the

statistical results to MIS;

c) MIS shall summarize and analyze the data provided by all departments and fill in

the “Statistical table of control measures effectiveness measurement”, which

serves as an important input of management review of information security

management system to provide decision evidence for the improvement of

information security management system.

5.4. Continual Improvement

a) The Committee of Information Security Management shall decide whether the

system operation reaches the expected goal and rectify the problems in

accordance with “Correction and Prevention Control Process”;

b) MIS shall regularly organize the assessment on whether the measurement

indicators of control measures reach the system construction and operation goal,

and revise and improve the existing measurement indicators with the changes of

actual environment. The assessment period shall not exceed the period of system

audit (According to “Internal Audit Control Process”, internal audit shall be

organized at least once a year, so the period of revision and improvement shall not

exceed one year).

System Effectiveness Measurement Management Policy ISO/IEC 27001:2013


APPENDIX I. Control Measures Effectiveness Measurement Form

Statistical Table of System Control Measures Effectiveness Measurement

Control Domain

Control Measures Measurement Contents

Indicators Data Sources Responsible Department

Responsible Person

Measurement Frequency

The First

Quarter

The Second Quarter

The Third

Quarter

The Fourth

Quarter A5 Information Security Policy

1. To formulate

information

security policy,

publicize and

implement it in

the daily training

on employees.

The percentage of

employees who

understand the

company's

information

security policy

>= 98% Daily

inspection and

audit records

MIS Every year

2. To review the security policy every year.

Whether to review the security policy

>= once/ year

Management review records

MIS Every year

A6 Information Security Organization

1. The top management is committed to actively supporting the internal information security management through responsibility allocation and resource input.

Whether the top manager actively supports the internal information security management of the Company

Yes Management review records

MIS Every year



2. To establish the internal Committee of Information Security Management, specify the responsibilities of each constitution and keep in contact with government departments and special interests groups.

Whether to establish the internal security management organization and specify responsibilities

Yes System file MIS Every year

Whether to keep in contact with government departments and special interests groups

Yes Contact records

MIS Every year

3. The new information processing facilities shall be authorized by relevant administrators before use.

The percentage of new information processing facilities with authorization

>= 95% Authorization records

MIS Every year

4. To regularly review the confidentiality agreement template for employees and third-party companies so as to ensure the requirements of it comply with the Company regulations.

Whether to review confidentiality agreement

Yes Supplier contract and employee contract

MIS Every year



5. To implement independent audit on the operation of information security management system.

Whether to carry out third- party audit

>= once/ year

Independent audit on contracts by third-party

MIS Every year

6. To require that the access to the Company information by third-parties or clients shall get the authorization from relevant administrators.

The percentage of access with authorization

>= 95% Authorization records

MIS Every year

7. The contracts signed with third-parties shall contain confidential items, or to sign a confidentiality agreement.

The percentage of third-parties with confidential items

>= 90% Confidentiality agreement or contract

MIS Every year

A7 Human Resources Security

1. To implement background check on key positions.

The percentage of background check on key positions of the Company

100% Background check table

MIS Every year

2. To sign confidentiality agreements with all employees.

The percentage of employees who have signed confidentiality agreements

100% Confidentiality agreement

MIS Every quarter



3. To regularly carry out information security training on employees.

The percentage of employees who have received information security training among all employees

>= 95% Training records

MIS Every quarter

4. All employees and third-party personnel shall return all the Company assets when they leave office or are off-site, and withdraw all access rights.

The percentage of personnel who return the Company assets or withdraw access rights

100% Demission records Third-party security inspection table

MIS Every quarter

A8 Assets Management

1. To identify all assets, compile assets list and maintain it.

Coincidence rate of assets list

>= 95% Assets list MIS Every year

2. All assets shall be designated with responsible departments and people.

The percentage of designated responsible departments and people

>= 95% Assets list MIS Every year

3. All assets shall be marked according to the Company regulations.

The percentage of assets that are marked

>= 90% Daily inspection and audit records

MIS Every year



A9 Access Control

1. To formulate internal access control management policies and to implement audit on them regularly.

The annual audit times of documents related to access control management

>= once Management review records

MIS Every quarter

2. To formulate system users access registration form and regularly review.

System user rights review interval

>= once User access review records

MIS Every quarter

3. To assess the effectiveness of user password policy through the results of internal audit and inspection.

Number of times that the system is accessed to without authorization due to improper password policy

<= three times

Information security incident

MIS Every quarter

4. Employees are required to implement desk-clearance and screening policy.

Number of times that information assets are lost or accessed to without authorization because of not implementing desk-clearance and screening policy

<= three times

Internal inspection table & information security incidents records

MIS Every year



5. To implement audit on all third-party connections that access to internal networks.

Number of times that third-party network connections are not reviewed before access

<= three times

Spot inspection

MIS Every year

A10 Cryptography

1. The length of password shall not be less than 8 characters and shall be constituted by any two of three types including letters, numbers and special characters. And the password shall not contain user-name character.

The percentage that password settings of employees through random inspection conform to the regulations

100% Spot inspection

MIS Every quarter

2. The password protection function of screen protection must be on.

The percentage that the employees open the password protection function of screen protection through random inspection

100% Spot inspection

MIS Every quarter



11 Physical and Environment Security

1. The access control system shall be used and corresponding access rights shall be set for employees.

Correction rate of access control rights

>= 95% Review form of access control system rights

MIS Every quarter

2. To implement routing inspection on machine room so as to ensure the environment meets the requirement of MIS.

Incidents that information systems stop running due to environmental problems of machine room

<= once Information security incidents records

MIS Every quarter

3. To implement routine inspection on machine room and test on UPS.

Incidents that information systems stop running due to UPS failures

none UPS routing inspection records Records

MIS Half a year

A12 Operational Security

1. Major change plan shall be tested and shall contain return, withdraw and recovery plans.

Incidents that information systems stop running due to major changes failure

<= two times

Change records

MIS Every year



2. The development, testing and operation of facilities shall be segregated.

Whether the development, testing and operating facilities are segregated

Yes Internal audit form

MIS Every year

3. To implement information security training on third-party personnel, and to audit on the third-party services.

Information security incidents of major or above level caused by third-party services


MIS Every year

4. To monitor the system capacity.

Incidents that information systems stop running due to capacity problems

<= once Logs about capacity warning

MIS Every quarter

5. All terminals shall be installed with the designated anti-virus software, and kept update.

The percentage of installed anti-virus software

>= 95% Information security self-inspection form Anti-virus system

MIS Every quarter

The percentage of normal update of anti-virus software

>= 95% Information security self-inspection form Anti-virus system

MIS Every quarter



6. Important data shall be regularly backed up and implemented effectiveness test.

Information security incidents of major or above level caused by expiration of back-up data

<= two times

Information security incidents records

MIS Every quarter

7. All media and facilities shall be with clear data or be physically destroyed before being re-used or scrapped.

Information security incidents of major or above level caused by patches of media or facilities disposal


MIS Every year

8. Important system logs (including activities of administrators and operators, and system failure information) and shall be reviewed regularly.

Number of times that information security incidents with no records


MIS Every year



A13 Communications Security

1. Any forms of connections between the internal network of the Company and the external networks are forbidden without approval.

Number of times that checking illegal external connections

None Information security situations report

MIS Every quarter

2. To implement vulnerability scanning on network facilities and systems, and to consolidate them in accordance with the scanning results.

Number of times of vulnerability scanning

>= once Vulnerability scanning records

MIS Every year

3. System administrators shall implement regular routine inspection on important network facilities.

Number of times of routine inspection of network facilities

once/day Routing inspection records

MIS Every quarter



A14 Information System Acquisition, Development and Maintenance

1. To specify the requirements of security control measures in the demands of information systems development.

The percentage that information systems with defined security demands in the demands analysis phrase

>= 95% Information system demands documents

MIS Every year

2. Measures shall be taken to control the installation of software on operating systems.

The percentage that approving the software installation on production system platforms( operating systems)

>= 95% Production environment software Installation approval records

MIS Half a year

3. Measures shall be taken to ensure the data security in the system testing.

The percentage that the testing data with desensitization

>= 95% Testing data desensitization records

MIS Every year

4. To restrict the access to source code of information systems.

The percentage that approving the access to source code of online information systems

>= 95% Approval records of access to source code

MIS Every quarter

5. Measures shall be taken to control the changes in the development of information systems.

The percentage of changes approved in the process of development

>= 95% Approval records of development changes

MIS Every year



6. To implement specially-technical audit on the changes of operating system (such as version upgrading).

The percentage that approving the changes of operating systems

>= 95% The percentage of operating systems changes

MIS Every year

A15 Supplier Relationship

1. Prior to cooperation with third-parties, corresponding departments shall sign service contracts or agreements with third-parties and specify relevant requirements of confidentiality.

The rate that service suppliers sign measurement confidentiality agreements

>= 90% Number of contracts and confidentiality agreements

MIS Every year

2. All departments shall organize the assessment on strength of suppliers and the products they provide.

The percentage of assessment on suppliers

100% Assessment table on suppliers

MIS Regularly



A16 Information Security Incident Management

1. Measures shall be taken to audit on the reports of information security incidents and processing of relevant systems.

Number of times of audit on the reports of information security incidents and processing of systems

>= once Information security management Approval records of system files

MIS Every year

2. The information security incidents that are required to report on shall be processed in accordance with system requirements.

The percentage that processing information security incidents

>= 95% Information security incidents records

MIS Half a year

3. The information security incidents that are finished processing shall be summarized.

The percentage that summarizing information security incidents

>= 95% Summary of information security incidents

MIS Half a year

A17 Information Security of Business Continuity Management

1. Relevant management systems of business continuity shall be audited regularly.

Number of times that approving business continuity management systems

>= once Information security management Approval records of system files

MIS Every year



2. Drill on all kinds of contingency plans shall be regularly carried out.

The percentage that the annually drilled ones of all contingency plans

>= 70% Contingency plans drill records

MIS Half a year

3. Contingency plans shall be regularly audited and revised.

The percentage that the contingency plans annually audited and revised in accordance with the audit results

>= 70% Audit records of contingency plans

MIS Every year

A18 Compliance

1. Applicable laws and regulations shall be identified by the Company.

Identified amounts of annual laws and regulations

>=10 copies

Identification records of information security laws and regulations

MIS Every year

2. To implement relevant inspection for certain requirements of intellectual property rights or to contain relevant inspection of intellectual property rights in internal audit and security inspection.

Number of times that containing inspection of intellectual property rights in internal audit and security inspection

>= once Internal audit records Information security inspection records

MIS Every year

system effectiveness measurement management policy

Documents