员工信息安全行为规范-中英对照
Behavior specification of staff information safety
1. 目的Purpose
通过《员工信息安全行为规范》,建立员工日常行为的可操作性规范,以促进公司信息安全目标的的实现。Regulation of “Behavior norm of staff information safety” set up daily effective norm of staff behavior, so as to promote the realization information safety of company.
2. 适用范围Scope of application
本方针的适用对象主要包括所有部门,必要时还包括相关的外部人员(与公司有关的集成商、软件开发商、产品提供商、顾问、商业合作伙伴、临时工作人员和客户以及其他第三方机构或人员等)。上述对象在利用公司的信息或接入公司信息系统时,均必须遵守该行为规范。The application scope of this guiding principle includes all departments; it also includes relevant external personnel in case of necessity (Integration supplier, software developer, products manufacturer, advisor, commercial cooperative partner, interim staff member and customer and other third party's organization or personnel of company). Above-mentioned parties shall observe this behavior norm while utilizing information of the company or access company's information system,
2.1. 职责Duty
HR部HR department
根据公司安全管理的实际情况,制定/修订本员工行为规范;According to the actual conditions of company's safety management, formulate / revise the edition of behavior norms of staff;
HR部、IT部及行政部HR department, IT department and administration department
监督和检查本规范的执行。Supervise and check the execution of this normal.
所有员工(包括临时员工及相关的外部人员):All staff (include interim staff and relevant external personnel):
遵守该行为规范,并报告发现的任何违规行为Observe this behavior norm, and report any unlawful practice found
3. 术语和定义Terms and definitions
4. 相关/支持性文件Relevant / supporting document
• 《信息安全手册》“Manual of information safety”
• 《信息密级分类及管理指南》“Classification and management guideline of confidential information”
• 《用户权限管理程序》“Authority management procedure of user”
• 《办公场所安全管理规范》“Safe management standard in office”
5. 记录管理Record management
记录
Record 保存期限Storage period 位置
Position 责任人
Person liable
6. 规范内容Regulation content
6.1. 保密信息管理Management of confidential information
根据《信息密级分类及管理指南》的相关规定标识和保护所使用、保管和建立的信息。In accordance with the regulation of relevant fixed identification and protection, store and formulation information of “Classification and management guideline of confidential information”.
因工作需要访问密级为秘密及以上信息的,需要向本部门负责人或信息所有者提出申请,有关权限的申请,遵循《用户权限管理程序》。Visit confidential information in need of work shall submit an application to the department head or the information owner; as for the application of the authority shall observe the regulation of “Authority management procedure of user”.
6.2. 办公场所出入管理The entry and exit management of office building
遵循《办公场所安全管理规范》。Observe the regulation of “Safe management standard in office”.
6.3. 便携式计算机设备安全管理Safety management of the equipment of portable computer
只有被批准的便携式计算机设备才能允许接入公司办公网络;Only the portable computer equipment with authorization may access to the network of official business of company;
未经授权,不得在公司内部使用非公司笔记本电脑;Without permission , it is prohibited to use the notebook computer not to use inside the company;
在使用公司办公网络的同时,未经授权,不得连接第三方网络;While accessing official network of company, it is prohibited to access to network of the third party without permission;
便携式计算机设备丢失或被窃应及时报告;Report in time while the portable computer equipment is lost or stolen;
未经授权,便携式计算机设备内禁止存放客户数据以及未加密的秘密以上信息。Without permission, it is prohibited to store customer's data and unencrypted information in the portable computer.
6.4. EMAIL管理EMAIL management
未经授权禁止使用邮箱发送代码及数据,禁止向外部发送公司代码及数据;It is prohibited to send the code and data without permission with E-mail; it is prohibited to send company's code and data to the outside;
禁止在公司内使用个人信箱和外部公用信箱;It is prohibited to use the personal mailbox and outside public mailbox in company;
公司信箱只能用于公司目的,公司有权对所发送的内容进行监控;The company mailbox can only be used in company's purpose , the company has the right to supervise the content;
通过EMAIL发送保密信息必须遵循《信息密级分类及管理指南》的相关规定;The confidential information send through EMAIL shall follow relevant regulation on “Classification and management guideline of confidential information”;
禁止利用公司邮箱发送或者转发虚假、黄色、反动信息;It is prohibited to use the company postbox to send or transmit false, obscene, reactionary information;
禁止利用公司邮箱发送或者转发宣扬个人政治倾向或者宗教信仰;It is prohibited to use the company postbox to send or transmit and advocate personal political orientation or religious belief;
禁止利用公司邮箱发送或者转发发送垃圾信息;It is prohibited to use the company postbox to send or transmit and send the rubbish information;
禁止利用公司邮箱发送或者转发能够引起连锁发送的恐吓、祝贺等信息;It is prohibited to use the company postbox to send or transmitting the threatening and congratulating information that can cause the chain reaction;
Email发送的附件大小不能超过20M;The size of the enclosure of Email shall not exceed 20M ;
禁止发送或者转发可能有计算机病毒的信息;It is prohibited to send or transmit the information with computer virus;
禁止打开来路不明的邮件并执行附件;It is prohibited to open the unknown mail and carry out the enclosure ;
发送Email必须有清楚的主题,发送前再次确认收件人列表内的人员都是必需的。It is required to clear themes of Email; confirm personnel in the addressee again before sending shall be essential.
6.5. Internet 接入管理Internet accessing management
办公网段的员工,根据业务需要可以开放Internet浏览权限;Staff of official business network may open Internet browse authority according to the requirement of business;
公司内的Internet 服务,只能用于工作目的,公司有权对员工的Internet上的行为进行监控;Internet service in the company can only be used in working purpose; the company has the right to control the behavior of staff on Internet;
禁止利用公司Internet接入服务,发送或者转发虚假、黄色、反动信息;It is prohibited to send or transmit false, obscene, reactionary information with access service of Internet in company;
禁止利用公司Internet接入服务发送或者转发宣扬个人政治倾向或者宗教信仰;It is prohibited to send or transmit and advocate personal political orientation or religious belief with access service of Internet in company;
禁止将公司内部及以上保密信息上传到公众论坛、FTP等公共资源服务;It is prohibited to upload confidential information of company to public resources, such as public forum and FTP, etc.
所有通过Internet 发送的敏感信息都必须有明确的接收人,而且是公司业务所必需的;并且遵循《信息密级分类及管理指南》的相关规定;All sensitive messages sent through Internet shall have clear receiving personal, and be essential to company business; it is required to observe the relevant regulation of “Classification and management guideline of confidential information”;
6.6. 用户账号及口令管理Account number and password management of user
不得将个人账户/口令借/转他人使用;It is prohibited to reveal the personal account / password to others;
用户首次登陆时,用户必须更改口令;Users shall alter password for the first registration ;
公司系统帐号的口令必需每3个月更改;客户提供的帐号和口令遵从其规定的;客户没有规定的,在可行时,应每3个月更改;The password of account number of company system shall be altered every 3 months; Comply with the regulation of account number and password of customer; the regulation does not specified, if it is applicable, shall be altered every 3 months ;
公司内所有帐号口令的最小长度为6位长度;客户提供的帐号和口令遵从有规定的,客户没有规定的,在可行时,最小口令应为6位;The minimum length of all account number and passwords of company shall be 6 digits; Comply with the regulation of account number and password of customer; the regulation does not specified, if it is applicable, the minimum password should be 6 digits;
口令必须包含字母和数字字符的组合;不得是可以轻易联想到的帐号所有者的特性,如用户名、绰号、亲属的姓名、生日等;The password must include the combination of letters and digital character; the password shall not be easily associated with the characteristic of the account number owner, for instance the names of user name, nickname, relative and birthday, etc.;
不得以明文方式将口令保存在电脑内,如果需要保存密码,必须以加密方式保存;It is prohibited to keep the password in the computer in way of proclaimed in writing , if is is required to keep the password, keep by encrypting pattern;
用户的帐号口令必须不能泄露给任何人;Users' account number password shall not revealed to anyone;
禁止在使用公共电脑登陆公司网络时启用自动保存账号/口令功能;It is prohibited to launch the function of automatic storage of account number / password while using the public computer to access company's network;
禁止将账号、密码保存在家用电脑中。It is prohibited to store account number and password in the personal computer.
员工忘记密码,要求IT部重设密码前,应告知部门主管。IT部与用户所在部门主管确认后, 重设密码。If the staff forgets the password, before asking IT department to reset the password, it is required to report the supervisor of the department. After confirmation of IT supervisor of the department, IT department may reset the password.
6.7. 防病毒管理Anti-virus management
所有连接到公司网络的WINDOWS平台计算机(PC/服务器)必须安装防病毒软件;All WINDOWS platform computers (PC / the server ) that connect to company's network shall install the anti-virus software;
不得禁用或绕过病毒保护软件;Forbid or avoid the protection of the anti-virus software are not allowed;
不得私自更改客户端防病毒软件设置(更新设置、保护设置、自动扫描设置等);It is prohibited to change the setting of the anti-virus software of customer end (upgrade and set up, protection sets up, auto scanning sets up etc);
由病毒保护软件不能自动清除并引起安全事故的病毒,必须向IT部报告;As for the virus cause the incident and cannot be removed by the software shall report to IT department ;
如发现防病毒库日期超过1月未更新,应及时更新,并向IT部报告。If virus storehouse was not upgraded for more than one month, it is required to upgrade in time and report to IT department.
定期更新系统补丁,在安装补丁前应做好相应的备份工作。Upgrade the system patch regularly; prepare the corresponding backup before installing patches.
6.8. 移动介质安全管理Safety management of moving medium
公司内禁止使用私人的U盘、移动硬盘等可移动介质,公司配发的工作用移动介质(U盘、移动硬盘)只能用于工作用途;It is prohibited to use the moving medium such as private U disk and moving hard disk, etc. Moving medium allotted by company (U record, last hard disk) can only used in working;
6.9. 屏幕保护设置The screen protection set up
桌面系统应启用屏幕保护程序, 时间为5分钟;The desk-top system should launch the screen protection program; time is about 5 minutes;
6.10. 其他安全管理Other safety management
禁止私自在PC/笔记本内安装超出公司规定范围外的软件;It is prohibited to install the software beyond the company regulation in PC / the portable computer;
禁止私自拆开机箱;It is prohibited to open the PC housing without permission;
禁止私自变更任何预定的安全及网络设置;It is prohibited to change setting of the prescribed security and network without permission;
禁止私自尝试破解网络/系统 /终端管理员及用户密码;It is prohibited to decipher the administrator password of network / system / terminal without permission;
禁止私自尝试进行网络或端口扫描;It is prohibited to access the network or scan without permission;
禁止通过个人PC文件共享功能,共享密级为秘密或以上的信息。It is prohibited to share the confidential information with personal PC.
员工应保持桌面的清洁,敏感信息在无人时应锁起来。Staff should keep cleanness of tabletop; sensitive message should be locked when nobody is absent.
2012.12.23