ebao iso/iec 27001: 2013

<Confidential> eBaoTech Corporation

<Confidential>

eBao ISO/IEC 27001: 2013

Information Security Policy eBaoTech-ISMS01-002

eBaoTech Corporation

Information Security Policy ISO/IEC27001:2013

<Confidential> eBaoTech Corporation ii

Copyright and Confidentiality Notice

© Copyright eBaoTech Corporation

All rights reserved. Reproduction in whole or in parts is prohibited without the

prior written consent of the copyright owner.

The information contained in this document is strictly confidential and must not

be disclosed to any other person by the client or by any of its employees without

the prior written consent of copyright owner.

Client is permitted to disclose the information only to those of its employees

and/or professional advisors who need to have access to it and client will notify

such employees and/or professional advisors of the terms of this notice.

For any questions or remarks on this document, please contact eBaoTech

Corporation +86 (21) -61407777.


<Confidential> eBaoTech Corporation 1

Contents 1. Purpose ....................................................................................................................................................... 1

2. Scope ............................................................................................................................................................ 1

3. Responsibilities ........................................................................................................................................ 1

3.1. Management Representative ................................................................................................................... 1 3.2. Information Security Management Committee ............................................................................... 1 3.3. Functional Department ............................................................................................................................... 1 3.4. Staff ...................................................................................................................................................................... 1

4. Information Security Policy ................................................................................................................. 1

5. Basic Policy on Information Security ............................................................................................... 2

5.1. Organizational Security of Information Security ............................................................................ 2 5.1.1 Construction of Information Security Management Structure ................................ 2 5.1.2 Strict Management of External Organizations Accessing Information Assets . 2

5.2. Human Resources Security ....................................................................................................................... 3 5.2.1 Personnel Security ...................................................................................................................... 3 5.2.2 Security Awareness .................................................................................................................... 3

5.3. Assets Security ................................................................................................................................................ 3 5.3.1 Assets Security .............................................................................................................................. 3 5.3.2 Classification Protection ........................................................................................................... 3 5.3.3 To Specify the Disposal and Control of Media ................................................................ 4

5.4. Access Control Policy ................................................................................................................................... 4 5.4.1 Access Control Policy ................................................................................................................. 4 5.4.2 User Access Management ......................................................................................................... 4

5.5. Cryptography .................................................................................................................................................. 4 5.5.1 Policy on the Use of Cryptographic Controls ................................................................... 4 5.5.2 Cryptographic Management ................................................................................................... 5

5.6. Physical and Environmental Security .................................................................................................. 5 5.6.1 Secure Areas................................................................................................................................... 5 5.6.2 Equipment and Facilities Security ....................................................................................... 5

5.7. Operational security ..................................................................................................................................... 5 5.7.1 Operating Procedures and Responsibilities .................................................................... 5 5.7.2 Planning and Management of Capacity .............................................................................. 6 5.7.3 Separation of Development, Testing and Operational Environments ................. 6 5.7.4 Protection from Malware ......................................................................................................... 6 5.7.5 Backup .............................................................................................................................................. 6 5.7.6 Audit Logging and Logging Protection ............................................................................... 6 5.7.7 Control of Operational Software ........................................................................................... 7 5.7.8 Clock Synchronisation ............................................................................................................... 7 5.7.9 Technical Vulnerability Control ............................................................................................ 7 5.7.10 Information Systems Audit Controls ................................................................................... 7

5.8. Communications Security .......................................................................................................................... 8 5.8.1 Network Security Management ............................................................................................. 8 5.8.2 Information Processing Procedures .................................................................................... 8

5.9. Information System Acquisition, Development and Maintenance .......................................... 8 5.9.1 Strengthening Security Requirements and Analysis of Information System

Development .................................................................................................................................. 8 5.9.2 Ensuring the Security of Internal Data ............................................................................... 8 5.9.3 Ensuing the Integrity of Information .................................................................................. 9 5.9.4 Policy on the Cryptographic Setting .................................................................................... 9 5.9.5 Control of the Source Code of the System ......................................................................... 9 5.9.6 Technical Audit after the Change of Operational System .......................................... 9 5.9.7 Prevention of Information Disclosure ............................................................................. 10 5.9.8 System Security Testing ......................................................................................................... 10 5.9.9 System Acceptance Testing .................................................................................................. 10

5.10. Supplier Relationship ............................................................................................................................... 10 5.10.1 Information Security Policy for Supplier Relationships .......................................... 10



5.10.2 Ensuring the Quality of Third-party Service ................................................................. 10 5.10.3 Audit on the Third-party Service Delivery .................................................................... 11

5.11. Information Security Incident .............................................................................................................. 11 5.11.1 Policy on Information Security Incident ........................................................................ 11

5.12. Business Continuity ................................................................................................................................... 11 5.12.1 Policy on Business Continuity Management ................................................................. 11

5.13. Compliance with Legal and Legislative Requirements .............................................................. 11 5.13.1 Conforming to Legal and Legislative Requirements ................................................. 11 5.13.2 Information Security Independent Audit ....................................................................... 12



1. Purpose

This policy is established to ensure the confidentiality, integrity and availability of the

information assets of eBao Tech Corporation (hereinafter referred to as "Company"),

the safe and stable operation of the Company's information system and the smooth

development of business.

2. Scope

For the staff, business partners and their expatriates, as well as other organizations and

personnel who use the Company's information assets to carry out their work, this policy

applies.

3. Responsibilities

3.1. Management Representative

Responsible for the approval of information security policy as well as providing

resources needed for the promotion and implementation of information security

management system files.

3.2. Information Security Management Committee

Responsible for the preparation and revision of the information security policy,

including interpreting and absorbing external documents system and updating the

policy; organizing information security officers and all department staff to carry out the

forming and drafting of information security policy and updating of the relevant

management system and operational procedures documents; monitoring the

implementation of all information security management system in all departments.

3.3. Functional Department

Implementing information security policy and relevant management systems;

formulating the implementing regulations of this department and putting them into

effect.

3.4. Staff

Understanding and being in comply with information security policy and relevant

management systems as well as accepting relevant training and education.

4. Information Security Policy

The Company's information security policy is as follows, and this information security

policy must be reviewed annually in the management and review meeting.

Information security policy is: prevention first, classification protection, decentralized



responsibility, continual improvement.

a) Prevention first: the implementation of information security is based on the

guiding principle prevention first; taking all active prevention measures;

establishing prevention and control system of information security and

operational risks; strengthening the security awareness of staff; improving the

emergency mechanism; strengthening the internal security check. Make sure that

all troubles are prevented before they occur.

b) Classification protection: information assets shall be classified in terms of their

importance, and corresponding measures shall be taken according to the

classification so as to ensure all kinds of information assets receive an appropriate

level of protection.

c) Decentralized responsibility: establishing decentralized information security

organization and making sure responsibilities are taken by decentralization and

put into practice.

d) Continual improvement: Implementing continuous improvement of information

security management according to the PDCA model to ensure that the Company's

information assets in the process of dynamic change are always under

comprehensive protection.

5. Basic Policy on Information Security

5.1. Organizational Security of Information Security

5.1.1 Construction of Information Security Management Structure

a) Purpose: To implement information security management effectively inside the

Company.

b) Policy: To start and control the implementation of information security work,

approve the information security policy and strategies, determine the information

security management and division of responsibilities, coordinate the effective

operation of the entire information security management system through the

establishment of information security management committee.

The Company also needs to build contact with external organizations such as

customers, security service providers, supervisors and external security

consultants to track industry trends and learn advanced information security

technologies and management means.

5.1.2 Strict Management of External Organizations Accessing Information Assets

a) Purpose: To ensure the information assets accessed by outside organizations are

under protection.



b) Policy: The business transactions and information communication between the

Company and outside world is inevitable, and the Company often needs to open

its information assets and information processing facilities to the outside

organizations. As a result, there is a need to assess the security risks associated

with access to internal information assets by external organizations.

And, if necessary, sign a confidentiality agreement with an external organization to

declare the Company's information security policy and strategy to determine the

required safety control measures.

5.2. Human Resources Security

5.2.1 Personnel Security

a) Purpose: To reduce the risk of human errors, theft, fraud or abuse of facilities and

authority.

b) Policy: To formulate and implement the control of employees prior to, during and

after the employment so as to ensure that their behaviors conform to the security

management requirements; to formulate and implement the regulations on

external personnel prior to, during and after cooperation so as to ensure that the

external personnel perform their due duties on information security.

5.2.2 Security Awareness

a) Purpose: To ensure that employees of the Company and third-parties can

recognize the importance of information security and implement the information

security policy at work to reduce the rate of information security incidents.

b) Policy: To carry out adequate training on the employees of the Company and third-

parties and specify their responsibilities of information security so that they can

master the information security skills; to specify the information security

requirements that third-parties should conform to and information security

responsibilities and duties that third-parties should fulfill.

5.3. Assets Security

5.3.1 Assets Security

a) Purpose: To identify important and valuable information assets of the Company,

implement the management of these information assets, and ensure the effective

use of these information assets.

b) Policy: To identify and manage information assets; to formulate and implement

correct operating procedures of using information assets according to the

characteristics of different types of information assets.

5.3.2 Classification Protection

a) Purpose: To implement classification protection on information assets in



accordance with their importance.

b) Policy: To implement different security standards and policies based on the value

and level of information assets; to implement corresponding level of protection in

accordance with the needs of different information assets.

5.3.3 To Specify the Disposal and Control of Media

a) Purpose: The Company shall effectively manage the use, movement, storage and

disposal of storage media, so as to prevent the disclosure, tampering or media

damage as well as adverse effect on business transactions due to poor

management of storage media.

b) Policy: The Company shall consider the length of the backup information that

needs to be saved when selecting media. The storage media includes hard disks,

tapes, USB drives, removable hardware drives, CDs, DVDs, and print media.

Managerial personnel of storage media shall check and mark all storage media and

shall establish operational strategies and relevant procedures of the use, storage,

deletion and destruction of the storage media in order to prevent the data and

system files in the storage media from unauthorized disclosure, tampering and

destruction.

5.4. Access Control Policy

5.4.1 Access Control Policy

a) Purpose: To control the access to information assets and ensure the effective

implementation of isolate operation, unique user, minimum access, separate

responsibilities and the principle of rejection by default.

b) Policy: To strengthen the access control management of the Company's assets,

standardize user management, password management, system configuration, and

put forward the basic requirements of access control management.

5.4.2 User Access Management

a) Purpose: To ensure that legitimate users get the appropriate access rights and

prevent unauthorized access.

b) Policy: To ensure that relevant personnel can obtain appropriate access to their

duties, form a list of user access and implement regular review of it, adjust and

cancel the employee's user access right when he/she leaves post or office.

5.5. Cryptography

5.5.1 Policy on the Use of Cryptographic Controls

a) Purpose: The Company shall develop and implement cryptographic control

measures in the information system to protect information.

b) Policy: When formulating the cryptographic policy, the Company should consider



the following: the management of using cryptographic control among

organizations, including the general principle of protecting business information,

identification of the protection level based on risk assessment and considering the

type, intensity and quality of encryption algorithm; using password to protect

sensitive information via mobile phones, removable media, devices, or through

communication lines.

5.5.2 Cryptographic Management

a) Purpose: To ensure the appropriate use and management of cryptographic

security.

b) Policy: The Company shall formulate regulations on cryptographic management so

as to ensure the whole process from the application, use, custody to destruction of

key is under secure control.

5.6. Physical and Environmental Security

5.6.1 Secure Areas

a) Purpose: To prevent access to, destruction of and interference on secure areas

from unauthorized activities.

b) Policy: To specify the boundaries of secure areas and take appropriate control

measures, such as physical isolation, access control systems, video surveillance,

etc.

5.6.2 Equipment and Facilities Security

a) Purpose: To prevent loss, damage or information disclosure of information

processing facilities.

b) Policy: Accurately identify and manage all kinds of equipment and facilities, and

place them in the appropriate area.

5.7. Operational security

5.7.1 Operating Procedures and Responsibilities

a) Purpose: The Company shall establish operating regulations and mechanism of

documented information system so as to ensure that the employees can operate

information processing facilities correctly and safely. The Company shall divide

the responsibilities of different categories of employees to reduce the rate of

unauthorized access, unconscious modification and improper use of organizational

assets.

b) Policy: The system activities of the Company's information processing and

communication facilities, such as backup, equipment maintenance, media

handling, room management, mail management and physical security

management, shall be under documented specification.



Necessary management, operating responsibilities and procedures shall be

established for all information processing facilities. Companies shall control the

changes of information processing facilities and systems; implement a clear

allocation of responsibilities to reduce risks due to negligence or misuse of the

system; individuals unauthorized or unmonitored shall not be able to access,

modify or use system. The company shall implement effective separate

responsibilities in accordance with the basic requirements of secure operations.

5.7.2 Planning and Management of Capacity

a) Purpose: The Company shall strengthen monitoring, adjustment and predict on

the requirements of future capacity to ensure that the required system

performance is available.

b) Policy: The Company ensures that each information system is able to identify

capacity requirements so as to guarantee timely assessment and improvement of

the availability and efficiency when necessary. The Company should take into

account the development of new services, the system's own development

requirements and the Company's current information processing capabilities and

future development trends when making assumptions about the future capacity of

the system.

5.7.3 Separation of Development, Testing and Operational Environments

a) Purpose: The Company shall implement a separation policy for the development,

testing and operation of the facility to reduce the risk of unauthorized access or

alteration of the operating system.

b) Policy: The Company shall identify the separation level among the operation,

testing and developing environment of the information system to prevent

overstepping or unauthorized operations.

5.7.4 Protection from Malware

a) Purpose: To reduce the adverse effect of the malware on the Company.

b) Policy: To establish effective computer virus prevention, detection and killing

mechanism, implement the detection and protection control to prevent malware,

and improve employees’ sense of prevention.

5.7.5 Backup

a) Purpose: To ensure the integrity and availability of backup data.

b) Policy: To back up the data and implement effective test on the backup data in

accordance with backup policy.

5.7.6 Audit Logging and Logging Protection

a) Purpose: The Company shall produce logs of recording user activities, exceptions,



and information security events and keep them for a cycle to support future

survey and access control monitoring. Logging facilities and log information shall

be protected against tempering and authorized access.

b) Policy: The Company shall establish logging management regulations to prevent

logging storage facilities from unauthorized tempering and operational problems.

Important audit loggings need to be archived. The audit loggings include details

such as user ID, date, time and key events, as well as system configuration, special

access rights, the use of system utilities and applications.

5.7.7 Control of Operational Software

a) Purpose: The software installation on all operating systems shall be carried out

according to the management procedures established by the Company; the

installation process shall be recorded and archived.

b) Policy: The Company shall develop management procedures on software

installations and designate special personnel to install software on operating

systems according the procedure. Installers shall have the skills that meet the

requirements of daily software installation.

5.7.8 Clock Synchronization

a) Purpose: The clocks of all the facilities shall be synchronized to the accurate

reference time source.

b) Policy: The Company shall synchronize the clocks to ensure the accuracy of the

system loggings.

5.7.9 Technical Vulnerability Control

a) Purpose: The Company shall reduce risks brought by the exploitation of technical

vulnerabilities.

b) Policy: The Company shall obtain the technical vulnerability information of all

kinds of technical systems used by the organization such as operating system,

application system, software tools to assess the protection of this kind of technical

vulnerability and take appropriate control measures.

5.7.10 Information Systems Audit Controls

a) Purpose: The Company shall minimize the risk brought by information systems

audit.

b) Policy: The Company shall make detailed planning and assess the risks associated

with information systems audit when doing the audits. The policy on information

systems audit shall be implemented within the approval of senior leaders. And the

implementation should be strictly in accordance with the planning procedures.



5.8. Communications Security

5.8.1 Network Security Management

a) Purpose: The Company shall maintain the availability of network services to

guarantee the confidentiality and integrity of the information transmitted over the

network.

b) Policy: To implement network security management; divide the network secure

areas; monitor and manage the network equipment and activities; develop

network security policies and operating procedures; protect the network

information and supporting facilities.

5.8.2 Information Processing Procedures

a) Purpose: The Company shall establish information processing and storage

procedures to prevent unauthorized disclosure or improper use of information.

b) Policy: The Company shall establish a management procedure that handles,

processes, stores and classifies information consistent with its communications,

and dispose and mark all the media according to the classification standard. The

Company shall also clearly restrict on unauthorized access and reserve the media

in accordance with the storage standards of manufacturers. Meanwhile, mark

clearly all the copies of data so as to arouse the attention of data owners.

5.9. Information System Acquisition, Development and Maintenance

5.9.1 Strengthening Security Requirements and Analysis of Information System

Development

a) Purpose: The Company shall specify the requirements for safety control measures

in the requirement statement of constructing of a new information system or

strengthening an existing information system.

b) Policy: Prior to the development of information systems, the requirement of basic

automatic control measures and supportive manual control measures included in

the information system should be specified. The security requirements both in the

existing and constructing information system shall be integrated in the early stage

of the information system project. To purchase a mature software product should

follow a formal testing and acquisition process. Specified security requirements

shall be put forward in the contract signed with suppliers.

5.9.2 Ensuring the Security of Internal Data

a) Purpose: Validation checks shall be integrated into the information system to

check the errors in information system processing or error due to intentional

actions.

b) Policy: In the designing and development of the information system, the review



and check functions of data should be integrated in the whole process of data

processing to ensure that the integrity of the data is not lost or destroyed in the

course of processing data.

5.9.3 Ensuing the Integrity of Information

a) Purpose: Appropriate control measures should be taken in the information system

to ensure the authenticity of data and protect the integrity of information.

b) Policy: In the construction of information system, a security risk assessment is

required to determine whether the information integrity needs to be ensured and

decide the most appropriate implementation method.

5.9.4 Policy on the Cryptographic Setting

a) Purpose: The Company shall develop and implement cryptographic control

measures in the information system to protect information.

b) Policy: When formulating the cryptographic policy, the Company should consider

the following: the management of using cryptographic control among

organizations, including the general principle of protecting business information,

identification of the protection level based on risk assessment and considering the

type, intensity and quality of encryption algorithm; using password to protect

sensitive information via mobile phones, removable media, devices, or through

communication lines.

5.9.5 Control of the Source Code of the System

a) Purpose: The Company shall standardize and limit the access to source code of the

system.

b) Policy: The Company shall strictly control the access to the source code and

related items (such as designing, manual, confirmation plan, and validation plan).

The reserve of system source code shall be achieved through the central storage

control of the code. It would be best that the source code is kept in the source

system library.

5.9.6 Technical Audit after the Change of Operational System

a) Purpose: When the operating system changes, the Company shall review and test

the critical applications of the business to ensure that there is no adverse impact

on the operation and security of the application system.

b) Policy: To review the control and integrate procedure in the application system to

ensure that they won’t be damaged due to the operating system changes; ensure

that notice of operating system changes is provided timely in the review and

system testing brought by the changes in the annual supporting plan and budget,

so that the Company can take appropriate testing and review before



implementation and take proper changes on the business continuity plan.

5.9.7 Prevention of Information Disclosure

a) Purpose: The Company shall prevent the disclosure of information.

b) Policy: The Company shall limit the risk of information disclosure, regularly assess

the external communications security of hidden information, conceal and adjust

the communication behavior of the system to reduce the possibility that third

parties will infer information from these actions. The Company shall also regularly

monitor the activities of individuals and system as well as the use of resources in

computer systems under the existing laws and regulations.

5.9.8 System Security Testing

a) Purpose: To implement security testing on information system and find potential

loopholes as much as possible and prevent them as early as possible.

b) Policy: To implement security testing on information system regularly and take a

comprehensive testing before the information system gets online.

5.9.9 System Acceptance Testing

a) Purpose: The documents shall be established and formed and the testing shall be

implemented before the acceptance and use of the new system.

b) Policy: The requirements and principles of the acceptance of new system shall be

clearly defined, formed into documents and through testing before the

construction of new information system. The upgrade of new system and the

update of new version shall be operated online as a product only after formal

testing and acceptance.

5.10. Supplier Relationship

5.10.1 Information Security Policy for Supplier Relationships

a) Purpose: To ensure that the information assets accessed by suppliers are

controlled to prevent the Company's information from being damaged or disclosed

as a result of suppliers’ access.

b) Policy: The Company shall ensure that the suppliers understand the information

security requirements and the security measures implemented and specify the

scope of the suppliers’ access to the Company's information resources. The

Company shall monitor the access of suppliers.

5.10.2 Ensuring the Quality of Third-party Service

a) Purpose: The Company shall ensure that third parties are able to maintain the

appropriate level of information security and service delivery in the process of

service in the premise that the Company conforms to the agreements of two sides.

b) Policy: The service delivered by third parties shall include agreed security plan,



service definitions and service management. To ensure that third parties maintain

adequate service capabilities and have a sustainability plan so that agreed services

can be maintained after a failure or disaster.

5.10.3 Audit on the Third-party Service Delivery

a) Purpose: To ensure that the service delivered by third parties conform to the

agreement requirements.

b) Policy: To check the requirements of the agreement, the consistency of the

implementation of the agreement to ensure that the delivery of services meet all

the requirements agreed upon with the third party.

5.11. Information Security Incident

5.11.1 Policy on Information Security Incident

a) Purpose: To minimize the damage on information security incident, monitor it and

make continual improvement.

b) Policy: Centralized control, statistics, analysis and corresponding measures shall

be taken on information security incident. The Company shall establish and

improve monitoring, reporting, warning, disposal, rectification mechanism of

information security incident.

5.12. Business Continuity

5.12.1 Policy on Business Continuity Management

a) Purpose: To prevent the interruption of business activities, to protect the critical

business process from major information system failure or natural disasters, and

to ensure timely recovery.

b) Policy: To identify potential hazards that could lead to interruptions of business, as

well as the possibility and impact of such interruptions, the security consequences

due to the interruptions; To formulate continual planning and implement

emergency drills to ensure timely recovery upon interruptions or failure in critical

business processes and to guarantee the availability of information.

5.13. Compliance with Legal and Legislative Requirements

5.13.1 Conforming to Legal and Legislative Requirements

a) Purpose: To ensure that the daily work conforms to legal and legislative

requirements.

b) Policy: To improve the requirements of establishing and identifying of relevant

laws and regulations in information security through the establishment of system

and to demonstrate them in all rules and regulations. To carry out trainings to

make the employees clear about relevant laws and regulations and perform them

at work.



5.13.2 Information Security Independent Audit

a) Purpose: The Company shall regularly carry out internal information security

audit and management review to understand the implementation of information

security management system and identify the possibility of improving it.

b) Policy: The Company shall regularly (at least once a year) conduct internal audit of

information system security to assess compliance between the current

information system and the safety policies, relevant standards and technologies of

the Company. Meanwhile, the company shall prudently plan the audit

requirements and activities of the operating system, database and network

equipment check so as to minimize the effect on business. The Company shall

restrict access to information system security auditing tools to avoid disclosure of

sensitive information or possible misuse or damage of information systems.

ebao iso/iec 27001: 2013

Documents