数据安全管理规范V1.0(模板)(Data security management specification v1 0 (template))

xx数据安全管理规范V1.0(模板)

目    录

1.目的2.范围

3.规范性引用文件

4.术语和定义

5.保密一级数据的安全管理要求

5.1.         数据生成

5.2.         数据传输

5.3.         数据使用

5.4.         数据存储

5.5.         数据销毁

6.保密二级数据的安全管理要求

6.1.         数据生成

6.2.         数据传输

6.3.         数据使用

6.4.         数据存储

6.5.         数据销毁

7.内部级数据的安全管理要求

7.1.         数据生成

7.2.         数据传输

7.3.         数据使用

7.4.         数据存储

7.5.         数据销毁

8.公开级数据的安全管理要求

8.1.         数据生成

8.2.         数据传输

8.3.         数据使用

8.4.         数据存储

8.5.         数据销毁

1.目的

本规范旨在为xx控股集团有限公司(以下简称“xx控股”)及各板块公司的数据安全管理提供参考标准,以明确不同级别数据的安全管理要求,保障数据资产的安全性。

2.范围

本规范适用于xx控股集团及各板块公司的全体员工,含线下零售板块、互联网板块、智能手机、智能制造、金融投资板块、地产板块以及电器各分公司。

3.规范性引用文件

下列文件对于本文件的应用是必不可少的。凡是注日期的引用文件,仅注日期的版本适用于本文件。凡是不注日期的引用文件,其最新版本(包括所有的修改单)适用于本文件。

《GB/T 22239-2008 信息系统安全等级保护基本要求》

《GBZ 28828-2012 信息安全技术公共及商用服务信息系统个人信息保护指南》

《电信和互联网用户个人信息保护规定》(工业和信息化部令第24号)

《ISO 27001:2013 信息技术 安全技术信息安全管理体系要求》

《ISO 27001:2013 信息技术 安全技术信息安全控制实用规则》

4.术语和定义

(1)保密一级:包含公司最高度敏感数据,关系公司未来发展的前途命运,如果一旦泄露会使公司受到严重损害,对公司根本利益有着决定性的影响。

(2)保密二级: 包含公司的敏感数据,如果一旦泄露会使公司的安全和利益受到严重损害。

(3)内部数据:仅能在公司内部或在公司内某一部门内公开的数据,对外扩散有可能对公司的利益造成损害。

(4)公开数据:可对社会及公众公开的数据。

5.保密一级数据的安全管理要求

5.1.数据生成

本项要求包括:

a) 保密一级数据的生成(或创建)应在公司内部安全的系统及环境中进行。

b) 保密一级数据的录入应采取双人机制,一人操作,另一人进行复核,并做好数据录入的登记。

c) 保密一级数据的采集需求(含系统接口的调用、人工的数据收集或提取)应经相关责任人、部门负责人、公司领导及集团领导批准。

d) 对于个人信息(含内部员工个人信息、客户信息)的收集,应具有特定、明确、合理的目的。

e) 收集个人信息前,应采用个人易知悉的方式,向个人明确告知和警示处理个人信息的目的、收集方式和手段、收集的具体内容和留存时间、个人信息的使用范围等。

f) 应只收集能够达到已告知目的的最少信息。

g) 应采用已告知的手段和方式向个人收集,不采取隐蔽手段收集个人信息。

5.2.数据传输

本项要求包括:

a) 应用系统间需要传输保密一级数据的,应建立数据安全传输的相关方案,并经相关责任人、部门负责人、安全管理部门及公司领导批准,按照批准后的方案实施。

b) 保密一级的电子介质及纸质文档应以安全的方式,由专人负责传递,并做好发送及接收的双向登记

c) 保密一级的电子文档在公司内部传输,应采取适当的加密方式(例如,压缩加密等)进行传输。

d) 未经个人信息的主体明确同意,或法律法规明确规定,或未经主管部门同意,不得向其他个人、组织披露本公司获取及处理的个人信息。

5.3.数据使用

本项要求包括:

a) 应针对保密一级数据的使用建立逐级审批制度,明确保密一级数据在板块公司内部、各板块公司间及对外使用时的申请审批程序,并按照审批程序执行审批过程,并保留审批记录。

b) 所有访问保密一级信息的内部员工和外部人员应在访问信息之前签署保密协议,针对外部人员还应与其所属组织签订保密协议。

c) 原则上,保密一级数据不得外发,确有需要,应按照逐级审批制度进行审批,最终应经集团领导批准,并保留审批记录;适当时,应对保密一级数据进行脱敏处理,方可提供给外部组织或人员使用。

d) 保密一级数据应仅能被得到授权的极少数核心人员访问,访问者应与公司签署保密保密。

e) 对保密一级数据的使用应得到相关责任人、部门负责人和本公司管理层的批准。

f) 对保密一级数据的使用应进行登记。

g) 对于可利用的保密一级纸质文件禁止再利用。

h) 对于个人信息的使用,应不违背收集阶段已告知的使用目的,或超出告知范围对个人信息进行处理。

i) 保证个人信息的使用过程中,个人信息不被任何与使用目的无关的个人和组织获取。

j) 应在人员调岗或离职时,及时收回其使用、保管的本公司数据资产。

5.4.数据存储

本项要求包括:

a) 电子类文档应加密存储在安全的计算机系统内;

b) 纸质类文件应锁在安全的保险柜内,禁止以其他形式存储或显示。

c) 电子类文档应有专人进行定期(每周)备份,备份介质应放置在防磁柜中保管并上锁。

d) 纸质类文件应保留其副本,并锁在安全的保险柜内。

5.5.数据销毁

本项要求包括:

a) 应建立存储介质报废及销毁的相关管理制度及流程,并做好申请审批记录及销毁登记。

b) 保密一级数据的存储介质的报废应采用消磁机进行销毁。

c) 保密一级的纸质文件不再使用时,应采用碎纸机进行销毁。

6.保密二级数据的安全管理要求

6.1.数据生成

本项要求包括:

a) 保密二级数据的生成(或创建)应在公司内部安全的系统及环境中进行。

b) 保密二级数据的录入可根据需要采取双人机制,一人操作,另一人进行复核,并做好数据录入的登记。

c) 保密二级数据的采集需求(含系统接口的调用、人工的数据收集或提取)应经相关责任人、部门负责人及公司领导批准。

d) 对于个人信息(含内部员工个人信息、客户信息)的收集,应具有特定、明确、合理的目的。

e) 收集个人信息前,应采用个人易知悉的方式,向个人明确告知和警示处理个人信息的目的、收集方式和手段、收集的具体内容和留存时间、个人信息的使用范围等。

f) 应只收集能够达到已告知目的的最少信息。

g) 应采用已告知的手段和方式向个人收集,不采取隐蔽手段收集个人信息。

6.2.数据传输

本项要求包括:

a) 应用系统间需要传输保密二级数据的,应建立数据安全传输的相关方案,并经相关责任人、部门负责人及安全管理部门批准,按照批准后的方案实施。

b) 保密二级的电子介质及纸质文档应以安全的方式,由专人负责传递,并做好接收登记。

c) 保密二级的电子文档在公司内部传输,应采取适当的加密方式(例如,压缩加密等)进行传输。

6.3.数据使用

本项要求包括:

a) 应针对保密二级数据的使用建立逐级审批制度,明确保密二级数据在板块公司内部、各板块公司间及对外使用时的申请审批程序,并按照审批程序执行审批过程,并保留审批记录。

b) 所有访问保密二级信息的内部员工和外部人员应在访问信息之前签署保密协议,针对外部人员还应与其所属组织签订保密协议。

c) 适当时,应对保密二级数据进行脱敏处理,方可提供给外部组织使用。

d) 保密二级数据仅能被得到授权的少数重要人员访问。

e) 对保密二级数据的使用应得到相关责任人、部门负责人的批准。

f) 对保密二级数据的使用应有登记。

g) 对于可利用的保密二级纸质文件禁止再利用。

6.4.数据存储

本项要求包括:

a) 电子类文档应设置密码保护,并存储在安全的计算机系统内,计算机系统应设置符合口令策略要求的高强度口令。

b) 纸质类文件应放置在安全区域内的文件柜中保管并上锁,禁止以其他形式存储或显示。

c) 电子类文档应有专人进行定期(每月)备份,备份介质应放置在文件柜中保管并上锁。

d) 纸质类文件应保留其副本,并放置在文件柜中保管并上锁。

6.5.数据销毁

本项要求包括:

a) 应建立存储介质报废及销毁的相关管理制度及流程,并做好申请审批记录及销毁登记。

b) 保密二级数据的存储介质的报废应采用消磁机、物理破坏等有效方式进行销毁。

c) 保密二级的纸质文件不再使用时,应采用碎纸机进行销毁

————————

< strong > XX < / strong > < strong > data security management specification v1 0 (template) < / strong >

< strong > entry < / strong >

1. Purpose 2 Range

3. Normative references

4. Terms and definitions

5. Security management requirements for confidential primary data

5.1. Data generation

5.2. Data transmission

5.3. Data usage

5.4. Data storage

5.5. Data destruction

6. Security management requirements for confidential secondary data

6.1. Data generation

6.2. Data transmission

6.3. Data usage

6.4. Data storage

6.5. Data destruction

7. Safety management requirements for internal data

7.1. Data generation

7.2. Data transmission

7.3. Data usage

7.4. Data storage

7.5. Data destruction

8. Security management requirements for public level data

8.1. Data generation

8.2. Data transmission

8.3. Data usage

8.4. Data storage

8.5. Data destruction

1. Purpose

This specification aims to provide reference standards for data security management of XX Holding Group Co., Ltd. (hereinafter referred to as “XX holding”) and companies in various sectors, so as to clarify the security management requirements of different levels of data and ensure the security of data assets.

2. Scope

This specification is applicable to all employees of XX holding group and companies in all sectors, including offline retail sector, Internet sector, smart phone, smart manufacturing, financial investment sector, real estate sector and electrical appliance branches.

3. Normative references

The following documents are essential for the application of this document. For dated references, only the dated version is applicable to this document. For undated references, the latest version (including all amendments) is applicable to this document.

GB / T 22239-2008 basic requirements for security level protection of information systems

GBZ 28828-2012 guide for personal information protection of information security technology public and commercial service information system

Regulations on the protection of personal information of Telecom and Internet users (Order No. 24 of the Ministry of industry and information technology)

ISO 27001:2013 information technology security management system requirements

ISO 27001:2013 practical rules for information technology security control

4. Terms and definitions

(1) Confidentiality level I: it contains the most sensitive data of the company, which is related to the future development of the company. If it is leaked, it will seriously damage the company and have a decisive impact on the fundamental interests of the company.

(2) Confidentiality level II: it contains the company’s sensitive data, which will seriously damage the company’s security and interests if leaked.

(3) Internal data: data that can only be disclosed within the company or in a department within the company, and external diffusion may damage the interests of the company.

(4) Public data: data that can be made public to the society and the public.

5. Security management requirements for confidential primary data

5.1. Data generation

This requirement includes:

a) The generation (or creation) of confidential primary data shall be carried out in the company’s internal secure system and environment.

b) The two person mechanism shall be adopted for the entry of confidential primary data, one person shall operate and the other person shall review, and the data entry shall be registered.

c) The collection requirements of confidential primary data (including the call of system interface and manual data collection or extraction) shall be approved by relevant responsible persons, department heads, company leaders and < strong > group leaders < / strong >.

d) The collection of personal information (including internal employee personal information and customer information) shall have specific, clear and reasonable purposes.

e) Before collecting personal information, the purpose of processing personal information, collection methods and means, specific content and retention time of collection, scope of use of personal information, etc. shall be clearly informed and warned to individuals in a way easy to know.

f) Only the minimum information that can achieve the notified purpose shall be collected.

g) The informed means and methods shall be used to collect personal information from individuals, and hidden means shall not be used to collect personal information.

5.2. data transmission

This requirement includes:

a) If it is necessary to transmit confidential level-1 data between application systems, relevant schemes for data secure transmission shall be established, approved by relevant responsible persons, department heads, security management departments and < strong > Company leaders, and implemented in accordance with the approved schemes.

b) Electronic media and paper documents at the level of confidentiality shall be transmitted in a safe way by a specially assigned person, and the two-way registration of < strong > sending and receiving shall be made < / strong >.

c) Electronic documents at the level of confidentiality shall be transmitted within the company by appropriate encryption (e.g. compression encryption, etc.).

d) The personal information obtained and processed by the company shall not be disclosed to other individuals and organizations without the explicit consent of the subject of personal information, laws and regulations, or the consent of the competent department.

5.3. Data usage

This requirement includes:

a) A level by level approval system shall be established for the use of confidential level-1 data, clarify the application and approval procedures for the use of confidential level-1 data within, among and outside the sector companies, implement the approval process in accordance with the approval procedures, and keep the approval records.

b) All internal employees and external personnel accessing confidential level-1 information shall sign a confidentiality agreement before accessing the information, and external personnel shall also sign a confidentiality agreement with their affiliated organization.

c) In principle, confidential primary data shall not be distributed. If necessary, it shall be approved in accordance with the level by level approval system. Finally, it shall be approved by the group leader, and the approval records shall be kept; When appropriate, the confidential primary data shall be desensitized before being provided to external organizations or personnel.

d) Confidential level-1 data shall only be accessed by a few authorized core personnel, and the visitor shall sign a confidentiality agreement with the company.

e) The use of confidential primary data shall be approved by relevant responsible persons, department heads and the management of the company.

f) The use of confidential primary data shall be registered.

g) It is forbidden to reuse the available confidential first-class paper documents.

h) The use of personal information shall not violate the purpose of use informed in the collection stage, or process personal information beyond the scope of notification.

i) Ensure that during the use of personal information, personal information will not be obtained by any individual or organization irrelevant to the purpose of use.

j) The company’s data assets used and kept by personnel shall be recovered in time when they are transferred or resigned.

5.4. data storage

This requirement includes:

a) Electronic documents shall be encrypted and stored in a secure computer system;

b) Paper documents shall be locked in a safe safe and shall not be stored or displayed in other forms.

c) Electronic documents shall be backed up regularly (weekly) by a specially assigned person, and the backup media shall be kept and locked in the antimagnetic cabinet.

d) Copies of paper documents shall be kept and locked in a safe.

5.5. Data Destruction

This requirement includes:

a) Relevant management systems and processes for scrapping and destruction of storage media shall be established, and application approval records and destruction registration shall be made.

b) The scrapping of the storage medium of confidential primary data shall be destroyed by degausser.

c) When the paper documents of confidentiality level are no longer used, they shall be destroyed by paper shredder.

6. Security management requirements for confidential secondary data

6.1. Data generation

This requirement includes:

a) The generation (or creation) of confidential secondary data shall be carried out in the company’s internal secure system and environment.

b) For the entry of confidential secondary data, a two person mechanism can be adopted as required, one person can operate and the other person can review, and the data entry can be registered.

c) The collection requirements of confidential secondary data (including system interface call, manual data collection or extraction) shall be approved by relevant responsible persons, department heads and company leaders.

d) The collection of personal information (including internal employee personal information and customer information) shall have specific, clear and reasonable purposes.

e) Before collecting personal information, the purpose of processing personal information, collection methods and means, specific content and retention time of collection, scope of use of personal information, etc. shall be clearly informed and warned to individuals in a way easy to know.

f) Only the minimum information that can achieve the notified purpose shall be collected.

g) The informed means and methods shall be used to collect personal information from individuals, and hidden means shall not be used to collect personal information.

6.2. data transmission

This requirement includes:

a) If confidential secondary data needs to be transmitted between application systems, relevant schemes for safe data transmission shall be established, approved by relevant responsible persons, department heads and security management departments, and implemented in accordance with the approved schemes.

b) Confidential secondary electronic media and paper documents shall be transmitted in a safe manner by a specially assigned person, and the receiving registration shall be made.

c) For the transmission of confidential secondary electronic documents within the company, appropriate encryption methods (such as compression encryption) shall be adopted for transmission.

6.3. Data usage

This requirement includes:

a) A level by level approval system shall be established for the use of confidential secondary data, clarify the application and approval procedures for the internal, inter and external use of confidential secondary data, implement the approval process in accordance with the approval procedures, and keep the approval records.

b) All internal employees and external personnel accessing confidential secondary information shall sign a confidentiality agreement before accessing the information, and external personnel shall also sign a confidentiality agreement with their affiliated organization.

c) When appropriate, the confidential secondary data shall be desensitized before being provided to external organizations.

d) Confidential secondary data can only be accessed by a few important authorized personnel.

e) The use of confidential secondary data shall be approved by relevant responsible persons and department heads.

f) The use of confidential secondary data shall be registered.

g) It is forbidden to reuse the available confidential secondary paper documents.

6.4. data storage

This requirement includes:

a) Electronic documents shall be protected by password and stored in a secure computer system. The computer system shall be provided with high-strength password that meets the requirements of password strategy.

b) Paper documents shall be kept and locked in the filing cabinet in the safe area, and shall not be stored or displayed in other forms.

c) Electronic documents shall be backed up regularly (monthly) by a specially assigned person, and the backup media shall be kept in the file cabinet and locked.

d) Copies of paper documents shall be kept, kept and locked in the filing cabinet.

6.5. Data Destruction

This requirement includes:

a) Relevant management systems and processes for scrapping and destruction of storage media shall be established, and application approval records and destruction registration shall be made.

b) The storage medium of confidential secondary data shall be destroyed by degaussing machine, physical destruction and other effective methods.

c) When the paper documents of level II confidentiality are no longer used, they shall be destroyed by paper shredder