信息安全管理体系手册Manual of Confidential information Management System
版本记录Edition record
版本Edition 变更理由
Alteration reason 编写
Audit 发布日期
Date issued 生效日期Effective date
1.0 版本建立
批准人(签名):
Approved by (Sign):
日期:
Date:
信息安全管理体系手册Manual of Management System of Confidential information
0. 信息安全管理体系目的Purpose of Management System of Confidential information
在评估相关信息安全风险后,公司实施安全策略和流程的主要目标是保护公司、客户以及个人的信息和信息资产。本策略的目标是建立通用指导方针,在公司内维护受控的、与整个组织一致的信息机密性、完整性和有效性。After assessing the relevant risk of information safety, the safe tactics and main goal implemented by the company is to protect the personal information and information assets of company and customer. The goals of this tactics are to establish the common guiding principle for maintaining the confidentiality, integrality and validity of information controlled and consisted with the integral organization in the company.
本手册按照ISO/IEC 27001:2005《信息安全管理体系要求》,并结合我公司管理的实际情况编写,用于在合同条件下向客户和第三方证明我公司的信息安全管理体系能满足规定的标准。This manual is complied with the regulation of “Requirement of Management System of Confidential information” of ISO/IEC 27001:2005, and combining the formulation of the actual conditions of management of our company, used for proving that the Management System of Confidential information of our company can be satisfied and fixed to customer and the third party under the terms of the contract.
1. 信息安全管理体系方针Policy of Management System of Confidential information
满足客户要求,实施风险管理,确保信息安全,实现持续改进。Satisfy the requirements of consumers, implement risk management, guarantee information safety and realize sustainable improvement
为了保证各种信息资产的保密性、完整性、可用性,给客户提供更加安心的服务,我们依据ISO/IEC27001:2005标准,建立信息安全管理体系,并承诺如下:In order to guarantee the confidentiality, integrality and usability of different information assets and provide more comfortable service for customer, we established Management System of Confidential information according to the regulation of ISO/IEC27001: 2005, and the detail content is as follows:
1) 在公司内各层次建立完整的信息安全管理组织机构,确定信息安全方针、安全目标和控制措施,明确信息安全的管理职责;Set up intact management organization of safety information in every level inside the company; confirm policy of information safety, confidential goal and control measure; define the management responsibilities of information safety;
2) 识别并满足适用法律法规和客户等相关方的信息安全要求;Discern and meet the requirements of information safety of the applicable laws and regulations and customer, etc.
3) 定期进行信息安全风险评估,ISMS评审,采取纠正预防措施,保证体系的持续有效性;Assessing the risk of information safety regularly, evaluating ISMS, applying the correct and precautionary measures, guarantee the sustainable validity of system;
4) 采用先进有效的设施和技术,处理、传递、储存和保护各类信息;Adopt advanced and effective facilities and technologies; carry out, transmit, store and protect all types of information;
5) 对全体员工进行持续的信息安全教育和培训,不断增强员工信息安全意识和能力;Carry out the education and train of the sustainable information safety for the staff; continuously strengthen the consciousness and ability of information safety for the staff;
6) 制定并保持完善的业务连续性计划,实现可持续发展。Formulate and maintain the perfect contingency planning of business; realize sustainable development.
7) 对于基本方针的适用性、充分性,结合实际状况定期评审,必要时予以修订。Base on the suitability and adequacy of basic policy, and combine the real situation carry out the regular evaluation; revise in case of necessity.
8) 公司根据信息安全管理体系方针制定各种策略。The company shall formulate various types of tactics according to the policy of Management System of Confidential information.
2. 信息安全管理体系范围Range of Management System of Confidential information
信息安全管理体系覆盖所有部门、员工、系统和网络架构,还包括影响信息安全外部人员(供应商、客户、其他相关第三方人员等)。The Management System of Confidential information shall cover all departments, staff, systems and network framework in company. It also includes influencing the external personnel of the information safety (supplier, customer, other personnel of relevant third parties, etc.).
2.1. 职责Duty
信息安全方针由信息安全经理负责,负有安全方针制定、评审和评价的管理职责。评审应包括评估组织信息安全方针改进的机会,和管理信息安全适应组织环境、业务状况、法律条件或技术环境变化的方法。信息安全方针评审应考虑管理评审的结果The policy of information safety is under the care of manager of information safety, which is responsible for the establishment, evaluation and appraisal of management of safe policy. Evaluations is also include assessing and organizing the improved chance of the policy of information safety, manage information safety, and adopt the changing method of organizing environment, business status, legal condition or the technological environment. Evaluation of the policy of information safety should consider the result of management evaluation.
应每年在管理评审时或当重大变化发生时进行信息安全方针评审,以确保它持续的适宜性、充分性和有效性。It is required to carry on the evaluation of policy of information safety in annual management evaluation or when the great change takes place, so as to ensure confidentiality, integrality and validity of information.
3. 组织架构Organization framework
3.1. 公司组织架构图Organization structure of company
Organization structure of IAC Search & Media Company
HR department
IT department
Research department
Financial department
Management department
3.2. 信息安全管理组织架构Framework of management organization of information safety
信息安全委员会:Confidential Council of information:
主任: Director: Liang Zuomin
管理者代表:军Representatives of administrators: Cao XueJun
成员: 方Members: Fang Qi, Yu Ling, Shi Yan, Lily Wang, Ye Jianxing, Huang Zhihua, Pan HangPing, Niuqing;
Organization structure of the information safety committee of IAC Search & Media Company
Administrator representatives Cao Xuejun
信息安全小组: Information safety group
组长:方琦Group leader: Fang Qi
成员:余凌、施燕、王莉莉、叶建鑫、黄志华、潘航平、柳菁Members: Yu Ling, Shi Yan, Lily Wang, Ye Jianxing, Huang Zhihua, Pan HangPing, Niuqing;
4. 信息安全管理体系框架Frame of the Management System of Confidential information
公司应根据整体业务活动和风险,开发、实施、保持并持续改进文件化的信息安全管理体系,将PDCA(Plan、Do、Check和Act)持续改进模型作为贯穿整个信息安全管理的主要指导思想。The company shall develop, implement, maintain and improve the document Management System of Confidential information continuously according to the activity and risk of integral business; take PDCA sustainable promoted model as the main guidelines through safety management of whole information (Plan, Do, Check and Act ).