We established an Information Committee, with the Chairman of the Board as the director, the CEO as the executive deputy director, and the vice president in charge of information security as the deputy director. The Information Committee is the decision-making body for major information security matters such as the Company's information security management guidelines and policies responsible for guiding the construction of information security systems. The general manager of the Information department (Information Security Officer) will report on the Company's network security every month.
We have formulated a sound information security system and technical standards, and implemented corresponding management measures to protect the confidentiality, integrity and availability of information systems, automation equipment and data. Our group-wide information security management scope includes:
We have formulated the "Information Security Incident Emergency Response Plan", which stipulates the importance level of information security incidents such as network interruption and equipment failure, as well as emergency reporting, disposal, and information disclosure procedures. We organize disaster backup and recovery drills every six months and keep drill records. Meanwhile, we clarified the reporting procedures and time limits for information security emergencies: the relevant on-site personnel immediately report to the department head → the department head informs the relevant personnel for on-site disposal, and immediately press procedure. Report directly to the leader and, if necessary, to the main responsible personnel. After receiving the information security incident report, the responsible personnel or direct management leader should quickly organize a response, report to the emergency response office, and report to the local government/public security department if necessary.
We organize various information security awareness training covering all employees, such as information security and privacy protection related activities, lectures, and disseminations on work platform. Employees who violate information security management regulations or fail to fulfill their information security responsibilities will receive penalties depending the circumstances. At the same time, information security work is also a part of the assessment of the informatization work of subsidiaries, accounting for 10%.