资安事件处理作业办法.doc

Altus Technology Inc. 揚信科技股份有限公司Title：Treating Method of the Info-Security Affairs Procedure: Title:Treating Method of the Info-Security Affairs 資安事件處理作業辦法Rev:ARevision HistoryRev.ECNDateOriginatorReasonA2006/6/22Yoyo YuanInitial ReleaseIssue stampDateTRADE SECRETS, CONFIDENTIAL INFORMATION, PROPRIETARY INFORMATION NOTICE and COPYRIGHTThe Copyright in this document is vested in Altus Technology Inc. The document may not be reproduced in whole or in part, or stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying or otherwise, without the prior written per-mission of Altus Technology Inc. This document, or its contents, cither in whole or in part, must not be communicated to the press or any person not authorized to receive it. The data shall not be duplicated, used, or disclosed in whole or in part for any purpose other than to evaluate the contents. This restriction does not limit the right of the recipient to use information contained in this data for its review and use for its intended purpose. The data subject to this restriction is contained in pages of this document marked Altus Proprietary DataContentsProcedure:1Title:1Rev:1A1Contents2Treating Method of the Info-Security Affairs31.0 Purpose目的32.0 Scope適用範圍33.0 Role and Responsibility角色與職責34.0 Emergency work flow chart of Info-Security Affairs資安事件應變作業流程圖45.0 Reporting of Info-Security Affairs通報作業46.0 Disposition of Info-Security Affairs處理作業57.0 Improving of Info-Security Affairs改善作業58.0 Audit稽核69.0 Encourage for Disclosure舉報獎勵610.0 Input and Export 輸入輸出611.0 Appendices and Attachments 附件8Treating Method of the Info-Security Affairs1.0 Purpose目的 Standardize the handling mechanism of the Info-Security affairs, improve the treatment quality of the incident. The relevant affairs of making the Info-Security affairs notify , dealing with , improving , auditting etc. are accorded with to some extent. 規范資訊安全事件處置機制，提升事件的處理品質，使資訊安全事件通報、處理、改善、稽核等相關事務有所依據。2.0 Scope適用範圍2.1 This treating method applies to Foxconn Electronics Inc. Info-Security affairs contingency to disposition.本作業辦法適用於富士康科技集團資訊安全事件應變處置作業。 3.0 Role and Responsibility角色與職責 3.1 The table of role and responsibility 角色與職責一覽表Department部門Role角 色Responsibility職 責資安管理部資安主管a 審核資安事件處理計劃b 對資安案件分級判斷c 建置資安措施，執行資安監控d 指導資安處理計劃執行e 依計上級指導修訂處理計劃f 管控是否需要協作單位支援緊急應變處理小組a 規劃危機處理計劃程式b 協助事件發生單位查明安全事件原因c 協調執行緊急應變措施d 執行資安稽核e 協助事發單位執行改善作業f 撰寫結案報告記錄人員a 事件受理通報b 根據客服系統做過程跟綜c 整理資安件結案文檔舉報者a 自願向資安管理部舉報資安事件b 必要時進行指證協作單位事件發生單位a 及時通報事件b 主導組建事件處理小組事件處理小組a 制訂處理、改善詳細計劃b 執行計劃並提出事件處理報告；Department部門Role角 色Responsibility職 責協作單位集團資訊安全委員會a 接受資安事件通報制訂處理計劃b 指導、審核處理小組之作業；c 指導危機預防演練資安事件應急專家組a 處理重大資安事件b 訓練緊急應變處理小組，事件處理小組安全技術c 隊集團安全策略提出建議和意見CIO資安事件主任委員a 下達重大資安事件處理指示b 對重大資安事件處理計劃審核c 啟動災難復原機制3.2 Affairs Disposition Group事件處理小組3.2.1 Can be units leading factor happen by the incident and set up in Affairs Disposition Group, the incident happens unit , incident relevant unit , Info-Security Management (in case of necessity ) transfer manpower to make up , may include the professional service provider of outside.事件處理小組可由事件發生單位主導組建，事件發生單位、事件相關單位、資安管理部（必要時）抽調人力組成可能包括外部專業服務提供商；3.2.2 Affairs Disposition Group should work under the guidance of Info-Security Committee, Local Information Department Manager and Administrative Executive, and report to them.事件處理小組應在資安委員會、本部門資訊主管、行政主管指導下工作並且向資安事件處理委員會、本部門資訊主管、行政主管報告；3.3 Info-Security Committee of the Group集團資安委員會3.3.1 Info-Security Committee of the Group is organized by Central Information Department Manager, Group Information Department Manager and senior information technical staff.集團資安委員會乃召集性組織，成員由各事業群/中央周邊單位資訊主管、資深資訊技術人員組成；3.3.2 Advisor group members is organized by senior administrative executive, IT Manager, technical staff or senior personages of outside manufacturer , professional service organization.顧問組成員可由集團内部資深行政主管、IT 主管、技術人員或者外部廠商、專業服務機構的資深人士擔任；3.3.3 If Info-Security Affairs is happened, according to incident nature, involve the professional field, deal with the committee to transfer relevant personnel from the incident, instruct Info-Security Affairs Disposition Group promotes ones work.如遇資安事件發生，則根據事件性質、涉及專業領域，從事件處理委員會抽調相關人員，指導資安事件處理小組開展工作；4.0 Emergency work flow chart of Info-Security Affairs 資安事件應變作業流程圖 處理重大資安事件緊急應變處理小組、事件處理小組安全技術對集團安全策略提出建議和意見 5.0 Reporting of Info-Security Affairs通報作業 5.1 Hot Line & E-mail for Info-Security Affairs notify (report).資安事件通報熱綫、信箱。5.1.1 Hot Line for Info-Security Affairs notify (report):560-102, nder the care of Product Dynamic Solution Services Info-Security Management.集團設置資安事件通報（舉報）熱綫：560-102，由工管資訊資安管理部負責；5.1.2 Can also notify (report) to Info-Security Management through the E-mail: INFOSEC/CEN/FOXCONN or PDSSS.亦可透過電子郵件向資安部通報（舉報）：INFOSEC/CEN/FOXCONN，或PDSSS。 5.2 Log of Aviso通報記錄5.2.1 In case of Info-Security Affairs happens, should report to Info-Security Management in ten minutes.如遇資安事件發生，應在十分鐘內報告資安管理部；5.2.2 Group staff are obligated to report Info-Security Affairs to Info-Security Management.集團員工有義務向資安管理部舉報資安事件；5.2.3 Info-Security Management receives the notification (reporting), must remind the persons who notify and keep the secret , dont tell to others again.資安管理部接到通報（舉報），須提醒通報者務必保守秘密，勿再向他人講述；5.2.4 Not accepting and reporting anonymously, the persons who demand to report tell Info-Security Management true name , office , contact way ,etc. Info-Security Management must be kept secret for persons who report.不接受匿名舉報，要求舉報者告知資安管理部真實姓名、工作單位、聯係方式等。資安管理部須為舉報者保密；5.2.5 Info-Security Affairs serial number rule: Year - month- serial number (example: 2006-01-XX) ; Info-Security file serial number observes File Coding Process Guide Line of Product Dynamic Solution Services Info-Security Management .資安事件編號規則：年份-月份-流水號（例：2006-01-XX）；資安文檔編號遵守工管資訊資安管理部文件編碼作業準則；5.2.6 Info-Security Management writes down the notification of every one Info-Security Affairs (including reporting), and deal with Info-Security Affairs in coordination with the unit , Info-Security Committee of the Group happens in the incident after being notified.資安管理部記錄每一件資安事件之通報（含舉報），並在得到通報後協同事件發生單位、集團資安事件處理委員會處理資安事件；5.2.7 If it is not Info-Security Affairs, must tell the persons who notify proper circular targets , for example: The public safe incident notifies central Ministry of State Security.若不屬於資安事件，須告知通報者適當的通報對象，例如：公共安全事件通報中央安全部。 6.0 Disposition of Info-Security Affairs處理作業6.1 The illustration of disposition處理作業説明6.1.1 Info-Security Management, after receiving taking place on the notification / reporting of Info-Security Affairs, must note down the incident to departments executive transmits submit Info-Security Committee of the Group.資安管理部在接到發生資安事件的通報/舉報後，須將事件紀錄經部門主管轉呈集團資安事件處理委員會；6.1.2 Info-Security Committee of the Group is notified the unit happens in the incident, the leading factor makes up Affairs Disposition Group.集團資安事件處理委員會通知事件發生單位，主導組成事件處理小組；6.1.3 Info-Security Management is helped or must participate in Affairs Disposition Group and deal with the incident of information safety.資安管理部協助或視必要參與事件處理小組處理資安事件；6.1.4 Info-Security Affairs Disposition Group proposes dealing with the scheme in incident under the guidance of committee, and carry out this scheme.資安事件處理小組在委員會指導下提出事件處理方案，並且執行該方案；6.1.5 Info-Security Affairs Disposition Group should deal with to Info-Security Committee , our unit report incident punish progress at any time.資安事件處理小組應隨時向資安事件處理委員會、本單位彙報事件處理進展。7.0 Improving of Info-Security Affairs改善作業 7.1 Plan and Proposal of Improving改善計劃及建議7.1.1 The info-security affairs is dealt with later stage or after finishing, the incident should summarize the unit, look for the holes of the info-security, propose improving the scheme and improving the plan.資安事件處理後期或完畢以後，事件發生單位應進行總結，尋找資安漏洞，提出改善方案及改善計劃；7.1.2 Info-Security Management helps the incident to offer the suggestion of improving on the basis of summarizing the incident result.資安管理部協助事件發生單位在總結事件處理結果基礎上提出改善建議。 7.2 Improving of Info-Security Affairs改善作業7.2.1 The incident takes charge of implementing the unit.事件發生單位負責實施。8.0 Audit稽核8.1 Info-Security Management is responsible for carrying out and audits and deals with the committee and offers and audits reporting to info-security affairs to the thing that the improvement homework of the unit happens in the incident. 資安管理部負責執行對事件發生單位的改善作業進行稽核並向資安事件處理委員會提供稽核報告。 8.2 The contents of improving and auditing, make reference to “Treating Method of the Info-Security Affairs”.關於改善作業及稽核，具體見資安事件處理作業辦法。9.0 Encourage for Disclosure舉報獎勵 9.1 The group encourages the employee to put forward to Department of Info-Security Management reporting after finding the info-security affairs.集團鼓勵員工發現資安事件後向資安管理部提出舉報； 9.2 The moment the disclosure being affirmed, prosecutor will be properly rewarded.舉報經查實，將予以舉報人適當的物質及精神獎勵。9.3 Detailed reward procedure will be drawn up by Department of Human Resource Management, assisted by