system effectiveness measurement management policy
TRANSCRIPT
<Confidential> eBaoTech Corporation
<Confidential>
eBao ISO/IEC 27001:2013
System Effectiveness Measurement Management Policy eBaoTech-ISMS-02-016
eBaoTech Corporation
<Confidential> eBaoTech Corporation 1
Copyright and Confidentiality Notice
© Copyright eBaoTech Corporation
All rights reserved. Reproduction in whole or in parts is prohibited without the
prior written consent of the copyright owner.
The information contained in this document is strictly confidential and must not
be disclosed to any other person by the client or by any of its employees without
the prior written consent of copyright owner.
Client is permitted to disclose the information only to those of its employees
and/or professional advisors who need to have access to it and client will notify
such employees and/or professional advisors of the terms of this notice.
For any questions or remarks on this document, please contact eBaoTech
Corporation +86 (21) -61407777.
<Confidential> eBaoTech Corporation 2
Contents 1. Purpose ......................................................................................................................................................... 1
2. Scope .............................................................................................................................................................. 1
3. Terms and Definitions.............................................................................................................................. 1
4. Responsibilities .......................................................................................................................................... 1
4.1. Management Representative ..................................................................................................................... 1 4.2. MIS Department ............................................................................................................................................... 1 4.3. Departments ...................................................................................................................................................... 1
5. Procedures ................................................................................................................................................... 1
5.1. General Requirements .................................................................................................................................. 1 5.2. Measurement Scope ....................................................................................................................................... 2 5.3. Working Procedures ...................................................................................................................................... 2 5.4. Continual Improvement ............................................................................................................................... 2
APPENDIX I. Control Measures Effectiveness Measurement Form ................................................. 3
<Confidential> eBaoTech Corporation 1
1. Purpose
The policy is specifically formulated to continuously improve the implementation of
information security work of eBaoTech Corporation (hereinafter referred to as
"Company") to quantitatively evaluate the implementation effects of information
security control measures, and to measure the overall effectiveness and continuous
improvement ability of information security management system.
2. Scope
For the effectiveness measurement work of the information security management
system control measures, this document applies.
3. Terms and Definitions
None.
4. Responsibilities
4.1. Management Representative
Responsible for auditing the programs and target values of measure of effectiveness,
reviewing and approving the application of measure of effectiveness and evaluating
reports related to measure of effectiveness.
4.2. MIS Department
Responsible for organizing the formulation and maintenance of the programs and target
values of effectiveness measurement; organizing all departments to implement
effectiveness measurement and write relevant reports.
4.3. Departments
Responsible for providing true and effective data and materials for measure of
effectiveness; completing the work of measure of effectiveness within its responsibilities
coordinately.
5. Procedures
5.1. General Requirements
a) Effectiveness measurement of information security management system control
measures is an important guarantee mechanism to achieve the goal of Company's
information security management system, so the effectiveness measurement work
shall be closely integrated with information security policy to ensure that control
measures can be monitored and measured;
<Confidential> eBaoTech Corporation 2
b) The effectiveness measurement work shall be implemented in accordance with the
principle of step-by-step and continuous improvement, and the measurement of
programs and target values shall be gradually improved.
5.2. Measurement Scope
a) The effectiveness measurement of control measures is mainly for all report
requirements and measurement programs of control measures adopted in the
information security management work(see Appendix I for specific indicators:
Statistical Table of Control Measures Effectiveness Measurement).
5.3. Working Procedures
a) MIS shall organize all departments to carry out the effectiveness measurement of
information security management system control measures before the annual
management review, and effectiveness measurement shall get approval from the
management representatives.
b) All departments shall accomplish the measurement of corresponding indicators in
accordance with the contents and time requirement of Appendix I (Statistical
Table of Control Measures Effectiveness Measurement) and timely report on the
statistical results to MIS;
c) MIS shall summarize and analyze the data provided by all departments and fill in
the “Statistical table of control measures effectiveness measurement”, which
serves as an important input of management review of information security
management system to provide decision evidence for the improvement of
information security management system.
5.4. Continual Improvement
a) The Committee of Information Security Management shall decide whether the
system operation reaches the expected goal and rectify the problems in
accordance with “Correction and Prevention Control Process”;
b) MIS shall regularly organize the assessment on whether the measurement
indicators of control measures reach the system construction and operation goal,
and revise and improve the existing measurement indicators with the changes of
actual environment. The assessment period shall not exceed the period of system
audit (According to “Internal Audit Control Process”, internal audit shall be
organized at least once a year, so the period of revision and improvement shall not
exceed one year).
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 3
APPENDIX I. Control Measures Effectiveness Measurement Form
Statistical Table of System Control Measures Effectiveness Measurement
Control Domain
Control Measures Measurement Contents
Indicators Data Sources Responsible Department
Responsible Person
Measurement Frequency
The First
Quarter
The Second Quarter
The Third
Quarter
The Fourth
Quarter A5 Information Security Policy
1. To formulate
information
security policy,
publicize and
implement it in
the daily training
on employees.
The percentage of
employees who
understand the
company's
information
security policy
>= 98% Daily
inspection and
audit records
MIS Every year
2. To review the security policy every year.
Whether to review the security policy
>= once/ year
Management review records
MIS Every year
A6 Information Security Organization
1. The top management is committed to actively supporting the internal information security management through responsibility allocation and resource input.
Whether the top manager actively supports the internal information security management of the Company
Yes Management review records
MIS Every year
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 4
2. To establish the internal Committee of Information Security Management, specify the responsibilities of each constitution and keep in contact with government departments and special interests groups.
Whether to establish the internal security management organization and specify responsibilities
Yes System file MIS Every year
Whether to keep in contact with government departments and special interests groups
Yes Contact records
MIS Every year
3. The new information processing facilities shall be authorized by relevant administrators before use.
The percentage of new information processing facilities with authorization
>= 95% Authorization records
MIS Every year
4. To regularly review the confidentiality agreement template for employees and third-party companies so as to ensure the requirements of it comply with the Company regulations.
Whether to review confidentiality agreement
Yes Supplier contract and employee contract
MIS Every year
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 5
5. To implement independent audit on the operation of information security management system.
Whether to carry out third- party audit
>= once/ year
Independent audit on contracts by third-party
MIS Every year
6. To require that the access to the Company information by third-parties or clients shall get the authorization from relevant administrators.
The percentage of access with authorization
>= 95% Authorization records
MIS Every year
7. The contracts signed with third-parties shall contain confidential items, or to sign a confidentiality agreement.
The percentage of third-parties with confidential items
>= 90% Confidentiality agreement or contract
MIS Every year
A7 Human Resources Security
1. To implement background check on key positions.
The percentage of background check on key positions of the Company
100% Background check table
MIS Every year
2. To sign confidentiality agreements with all employees.
The percentage of employees who have signed confidentiality agreements
100% Confidentiality agreement
MIS Every quarter
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 6
3. To regularly carry out information security training on employees.
The percentage of employees who have received information security training among all employees
>= 95% Training records
MIS Every quarter
4. All employees and third-party personnel shall return all the Company assets when they leave office or are off-site, and withdraw all access rights.
The percentage of personnel who return the Company assets or withdraw access rights
100% Demission records Third-party security inspection table
MIS Every quarter
A8 Assets Management
1. To identify all assets, compile assets list and maintain it.
Coincidence rate of assets list
>= 95% Assets list MIS Every year
2. All assets shall be designated with responsible departments and people.
The percentage of designated responsible departments and people
>= 95% Assets list MIS Every year
3. All assets shall be marked according to the Company regulations.
The percentage of assets that are marked
>= 90% Daily inspection and audit records
MIS Every year
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 7
A9 Access Control
1. To formulate internal access control management policies and to implement audit on them regularly.
The annual audit times of documents related to access control management
>= once Management review records
MIS Every quarter
2. To formulate system users access registration form and regularly review.
System user rights review interval
>= once User access review records
MIS Every quarter
3. To assess the effectiveness of user password policy through the results of internal audit and inspection.
Number of times that the system is accessed to without authorization due to improper password policy
<= three times
Information security incident
MIS Every quarter
4. Employees are required to implement desk-clearance and screening policy.
Number of times that information assets are lost or accessed to without authorization because of not implementing desk-clearance and screening policy
<= three times
Internal inspection table & information security incidents records
MIS Every year
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 8
5. To implement audit on all third-party connections that access to internal networks.
Number of times that third-party network connections are not reviewed before access
<= three times
Spot inspection
MIS Every year
A10 Cryptography
1. The length of password shall not be less than 8 characters and shall be constituted by any two of three types including letters, numbers and special characters. And the password shall not contain user-name character.
The percentage that password settings of employees through random inspection conform to the regulations
100% Spot inspection
MIS Every quarter
2. The password protection function of screen protection must be on.
The percentage that the employees open the password protection function of screen protection through random inspection
100% Spot inspection
MIS Every quarter
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 9
11 Physical and Environment Security
1. The access control system shall be used and corresponding access rights shall be set for employees.
Correction rate of access control rights
>= 95% Review form of access control system rights
MIS Every quarter
2. To implement routing inspection on machine room so as to ensure the environment meets the requirement of MIS.
Incidents that information systems stop running due to environmental problems of machine room
<= once Information security incidents records
MIS Every quarter
3. To implement routine inspection on machine room and test on UPS.
Incidents that information systems stop running due to UPS failures
none UPS routing inspection records Records
MIS Half a year
A12 Operational Security
1. Major change plan shall be tested and shall contain return, withdraw and recovery plans.
Incidents that information systems stop running due to major changes failure
<= two times
Change records
MIS Every year
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 10
2. The development, testing and operation of facilities shall be segregated.
Whether the development, testing and operating facilities are segregated
Yes Internal audit form
MIS Every year
3. To implement information security training on third-party personnel, and to audit on the third-party services.
Information security incidents of major or above level caused by third-party services
<= once Information security incidents records
MIS Every year
4. To monitor the system capacity.
Incidents that information systems stop running due to capacity problems
<= once Logs about capacity warning
MIS Every quarter
5. All terminals shall be installed with the designated anti-virus software, and kept update.
The percentage of installed anti-virus software
>= 95% Information security self-inspection form Anti-virus system
MIS Every quarter
The percentage of normal update of anti-virus software
>= 95% Information security self-inspection form Anti-virus system
MIS Every quarter
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 11
6. Important data shall be regularly backed up and implemented effectiveness test.
Information security incidents of major or above level caused by expiration of back-up data
<= two times
Information security incidents records
MIS Every quarter
7. All media and facilities shall be with clear data or be physically destroyed before being re-used or scrapped.
Information security incidents of major or above level caused by patches of media or facilities disposal
<= once Information security incidents records
MIS Every year
8. Important system logs (including activities of administrators and operators, and system failure information) and shall be reviewed regularly.
Number of times that information security incidents with no records
<= once Information security incidents records
MIS Every year
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 12
A13 Communications Security
1. Any forms of connections between the internal network of the Company and the external networks are forbidden without approval.
Number of times that checking illegal external connections
None Information security situations report
MIS Every quarter
2. To implement vulnerability scanning on network facilities and systems, and to consolidate them in accordance with the scanning results.
Number of times of vulnerability scanning
>= once Vulnerability scanning records
MIS Every year
3. System administrators shall implement regular routine inspection on important network facilities.
Number of times of routine inspection of network facilities
once/day Routing inspection records
MIS Every quarter
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 13
A14 Information System Acquisition, Development and Maintenance
1. To specify the requirements of security control measures in the demands of information systems development.
The percentage that information systems with defined security demands in the demands analysis phrase
>= 95% Information system demands documents
MIS Every year
2. Measures shall be taken to control the installation of software on operating systems.
The percentage that approving the software installation on production system platforms( operating systems)
>= 95% Production environment software Installation approval records
MIS Half a year
3. Measures shall be taken to ensure the data security in the system testing.
The percentage that the testing data with desensitization
>= 95% Testing data desensitization records
MIS Every year
4. To restrict the access to source code of information systems.
The percentage that approving the access to source code of online information systems
>= 95% Approval records of access to source code
MIS Every quarter
5. Measures shall be taken to control the changes in the development of information systems.
The percentage of changes approved in the process of development
>= 95% Approval records of development changes
MIS Every year
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 14
6. To implement specially-technical audit on the changes of operating system (such as version upgrading).
The percentage that approving the changes of operating systems
>= 95% The percentage of operating systems changes
MIS Every year
A15 Supplier Relationship
1. Prior to cooperation with third-parties, corresponding departments shall sign service contracts or agreements with third-parties and specify relevant requirements of confidentiality.
The rate that service suppliers sign measurement confidentiality agreements
>= 90% Number of contracts and confidentiality agreements
MIS Every year
2. All departments shall organize the assessment on strength of suppliers and the products they provide.
The percentage of assessment on suppliers
100% Assessment table on suppliers
MIS Regularly
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 15
A16 Information Security Incident Management
1. Measures shall be taken to audit on the reports of information security incidents and processing of relevant systems.
Number of times of audit on the reports of information security incidents and processing of systems
>= once Information security management Approval records of system files
MIS Every year
2. The information security incidents that are required to report on shall be processed in accordance with system requirements.
The percentage that processing information security incidents
>= 95% Information security incidents records
MIS Half a year
3. The information security incidents that are finished processing shall be summarized.
The percentage that summarizing information security incidents
>= 95% Summary of information security incidents
MIS Half a year
A17 Information Security of Business Continuity Management
1. Relevant management systems of business continuity shall be audited regularly.
Number of times that approving business continuity management systems
>= once Information security management Approval records of system files
MIS Every year
System Effectiveness Measurement Management Policy ISO/IEC 27001:2013
<Confidential> eBaoTech Corporation 16
2. Drill on all kinds of contingency plans shall be regularly carried out.
The percentage that the annually drilled ones of all contingency plans
>= 70% Contingency plans drill records
MIS Half a year
3. Contingency plans shall be regularly audited and revised.
The percentage that the contingency plans annually audited and revised in accordance with the audit results
>= 70% Audit records of contingency plans
MIS Every year
A18 Compliance
1. Applicable laws and regulations shall be identified by the Company.
Identified amounts of annual laws and regulations
>=10 copies
Identification records of information security laws and regulations
MIS Every year
2. To implement relevant inspection for certain requirements of intellectual property rights or to contain relevant inspection of intellectual property rights in internal audit and security inspection.
Number of times that containing inspection of intellectual property rights in internal audit and security inspection
>= once Internal audit records Information security inspection records
MIS Every year