资安事件处理作业办法.docx

Revision HistoryProcedure:T/f/e.nTreating Method of the Info-Security Affairs|資安事件處理作業辦法|Rev:Rev.ECNDateOriginatorReasonA2006/6/22Yoyo YuanInitial ReleaseIssue stampDateTRADE SECRETS, CONFIDENTIAL INFORMA TION, PROPRIETARY INFORMATION NOTICE and COPYRIGHTThe Copyright in this document is vested in Altus Technology Inc. The document may not be reproduced in whole or in part, or stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, photocopying or otherwise, without the prior written per-mission of Altus Technology Inc. This document3 or its contents, cither in whole or in part, must not be communicated to the press or any person not authorized to receive it. The data shall not be duplicated, used, or disclosed in whole or in part for any purpose other than to evaluate the contents. This restriction does not limit the right of the recipient to use information contained in this data for its review and use for its intended purpose. The data subject to this restriction is contained in pages of this document marked "Altus Proprietary Data"ContentsProcedure:1Title:1Rev:1A1Contents2Treating Method of the Info-Security Affairs31.0 Purpose 目 的32.0 Scope適用範圍33.0 Role and Responsibility 角色與職貝34.0 Emergency work flow chart of Info-Security Affairs 資安事件應變作業流程圖.55.0 Reporting of Info-Security Affairs 通報作業56.0 Disposition of Info-Security Affairs 處理作業67.0 Improving of Info-Security Affairs 改善作業78.0 Audii 稽核79.0 Encourage for Disclosure 舉報獎勵710.0 Input and Export 輸入輸出811.0 Appendices and Attachments 附件9Treatinq Method of the lnfo-Securitv Affairs1.0 Purpose 目的Standardize the handling mechanism of the Info-Security affairs, improve the treatment quality of the incident. The relevant affairs of making the InfoSecurity affairs notify , dealing with , improving , auditting etc. are accorded with to some extent.規范資訊安全事件處置機制，提升事件的處理品質，使資訊安全事件通報、處理、 改善、稽核等相關事務有所依據。2.0 Scope適用範圍2.1 This treating method applies to Foxconn Electronics Inc. Info-Security affairs contingency to disposition.本作業辦法適用於富士康科技集團資訊安全事件應變處置作業。3.0 Role and ResponsibiHty 角色與職責3.1 The table of role and responsibility 角色與職責覽表Department部門Role 角色Responsibility 職責資安管理部資安主管a審核資安事件處理計劃b對資安案件分級判斷c建置資安措施,執行資安監控d指導資安處理計劃執行e依計上級指導修訂處理計劃f管控是否需要協作單位支援緊急應變處理小組a規劃危機處理計劃程式b協助事件發生單位査明安全事件原因c協調執行緊急應變措施d執行資安稽核e協助事發單位執行改善作業f撰寫結案報告記錄人員a事件受理、通報b根據客服系統做過程跟綜 c整理資安件結案文檔舉報者a自願向資安管理部舉報資安事件 b必要時進行指證協作單位事件發生單位a及時通報事件b主導組建事件處理小組事件處理小組a制訂處理、改善詳細計劃;b執行計劃並提出事件處理報告;Department部門Role 角色Responsibility 職責協作單位集團資訊安全 委員會a接受資安事件通報,制訂處理計劃:b指導審核處理小組之作業:c指導危機預防演練資安事件應急 專家組a處理重大資安事件b訓練緊急應變處理小組,事件處 理小組安全技術c隊集團安全策略提出建議和意見CIO資安事件主任 委員a下達重大資安事件處理指示 b對重大資安事件處理計劃審核c啟動災難復原機制3.2 Affairs Disposition Group事件處理小組3.2.1 Can be unit's leading factor happen by the incident and set up in Affairs Disposition Group, the incident happens unit, incident relevant unit, InfoSecurity Management (in case of necessity ) transfer manpower to make up , may include the professional service provider of outside.事件處理小組可由事件發生單位主導組建，事件發生單位、事件相關單位、資安管理 部(必要時)抽調人力組成,可能包括外部專業服務提供商;3.2.2 Affairs Disposition Group should work under the guidance of Info-Security Committee, Local Information Department Manager and Administrative Executive, and report to them.事件處理小組應在資安委員會、本部門資訊主管、行政主管指導下工作並且向資安事 件處理委員會、本部門資訊主管、行政主管報告;3.3 Info-Security Committee of the Group集團資安委員會3.3.1 Info-Security Committee of the Group is organized by Central Information Department Manager, Group Information Department Manager and senior information technical staff.集團資安委員會乃召集性組織，成員由各事業群/中央周邊單位資訊主管，資深資訊技 術人員組成;3.3.2 Advisor group members is organized by senior administrative executive, IT Manager, technical staff or senior personages of outside manufacturer, professional service organization.顧問組成員可由集團內部資深行政主管、IT主管、 技術人員或者外部廠商、專業服務 機構的資深人士擔任;3.3.3 If Info-Security Affairs is happened, according to incident nature, involve the professional field, deal with the committee to transfer relevant personnel from the incident, instruct Info-Security Affairs Disposition Group promotes one's work.如遇資安事件發生，則根據事件性質、涉及專業領域，從事件處理委員會抽調相關人 員，指導資安事件處理小組開展工作;4.0 Emergency work flow chart of Info-Security Affairs資安事件應變作業流程圖處理重大資安事件緊急應變處理小組、事件處理小組安全技術對集團安全策略提出建議 和意見5.0 Reporting of Info-Security Affairs 通報作業5.1 Hot Line & E-mail for Info-Security Affairs notify (report).資安事件通報熱綫、信箱。5.1.1 Hot Line for Info-Security Affairs notify (report):560-102, nder the care of Product Dynamic Solution Services Info-Security Management.集團設置資安事件通報(舉報)熱綫:560-102，由管資訊資安管理部負責;5.1.2 Can also notify (report) to Info-Security Management through the E-mail: INFOSEC/CEN/FOXCONN or PDSSSecurity.亦可透過電子郵件向資安部通報(舉報)：INFOSEOCEN/FOXCONN，或 PDSSSecurity。5.2 Log of Aviso通報記錄5.2.1 In case of Info-Security Affairs happens, should report to Info-Security Management in ten minutes.如遇資安事件發生，應在十分鐘內報告資安管理部;5.2.2 Group staff are obligated to report Info-Security Affairs to Info-Security Management.集團員工有義務向資安管理部舉報資安事件;5.2.3 Info-Security Management receives the notification (reporting), must remind the persons who notify and keep the secret, don't tell to others again.資安管理部接到通報(舉報)，須提醒通報者務必保守秘密，勿再向他人講述;5.2.4 Not accepting and reporting anonymously, the persons who demand to report tell Info-Security Management true name , office , contact way ,etc. Info-Security Management must be kept secret for persons who report. 不接受匿名舉報，要求舉報者告知資安管理部真實姓名，工作單位、聯係方式等。資 安管理部須爲舉報者保密;5.2.5 Info-Security Affairs serial number rule: Year - month- serial number (example: 2006-01-XX); Info-Security file serial number observes "File Coding Process Guide Line of Product Dynamic Solution Services InfoSecurity Management".資安事件編號規則:年份一月份一流水號(例:2006-01-XX)：資安文檔編號遵守 管資訊資安管理部文件編碼作業準則!5.2.6 Info-Security Management writes down the notification of every one InfoSecurity Affairs (including reporting), and deal with Info-Security Affairs in coordination with the unit, Info-Security Committee of the Group happens in the incident after being notified.資安管理部記錄每一件資安事件之通報(含舉報)，並在得到通報後協同事件發生單 位、集團資安事件處理委員會處理資安事件;5.2.7 If it is not Info-Security Affairs, must tell the persons who notify proper circular targets , for example: The public safe incident notifies central Ministry of State Security.若不屬於資安事件，須告知通報者適當的通報對象，例如:公共安全事件通報中央安 全部。6.0 Disposition of Info-Security Affairs 處理作業6.1 The illustration of disposition處理作業説明6.1.1 Info-Security Management, after receiving taking place on the notification / reporting of Info-Security Affairs, must note down the incident to department's executive transmits submit Info-Security Committee of the Group.資安管理部在接到發生資安事件的通報/舉報後，須將事件紀錄經部門主管轉呈集團資 安事件處理委員會;6.1.2 Info-Security Committee of the Group is notified the unit happens in the incident, the leading factor makes up Affairs Disposition Group.集團資安事件處理委員會通知事件發生單位，主導組成事件處理小組;6.1.3 Info-Security Management is helped or must participate in Affairs Disposition Group and deal with the incident of information safety.資安管理部協助或視必要參與事件處理小組處理資安事件;6.1.4 Info-Security Affairs Disposition Group proposes dealing with the scheme in incident under the guidance of committee, and carry out this scheme.資安事件處理小組在委員會指導下提出事件處理方案，並且執行該方案;6.1.5 Info-Security Affairs Disposition Group should deal with to Info-Security Committee , our unit report incident punish progress at any time.資安事件處理小組應隨時向資安事件處理委員會、本單位彙報事件處理進展。7.0 Improving of Info-Security Affairs 改善作業7.1 Plan and Proposal of Improving改善計劃及建議7.1.1 The info-security affairs is dealt with later stage or after finishing, the incident should summarize the unit, look for the holes of the info-security, propose improving the scheme and improving the plan.資安事件處理後期或完畢以後，事件發生單位應進行總結，尋找資安漏洞，提出改 善方案及改善計劃;7.1.2 Info-Security Management helps the incident to offer the suggestion of improving on the basis of summarizing the incident result.資安管理部協助事件發生單位在總結事件處理結果基礎上提出改善建議。7.2 Improving of Info-Security Affairs改善作業、7.2.1 The incident takes charge of implementing the unit. 事件發生單位負責實施。、8.0 Audit 稽核8.1 Info-Security Management is responsible for carrying out and audits and deals with the committee and offers and audits reporting to info-security affairs to the thing that the improvement homework of the unit happens in the incident.資安管理部負責執行對事件發生單位的改善作業進行稽核並向資安事件處理委員會提供稽核報 告.8.2 The contents of improving and auditing, make reference to "Treating Method of the Info-Security Affairs".關於改善作業及稽核，具體見資安事件處理作業辦法。9.0 Encourage for Disclosure 舉報獎勵9.1 The group encourages the employee to put forward to Department of Infosecurity Management reporting after finding the info-security affairs.集團鼓勵員工發現資安事件後向資安管理部提出舉報;9.2 The moment the disclosure being affirmed, prosecutor will be properly rewarded. 舉報經査實,將予以舉報人適當的物質及精神獎勵。9.3 Detailed reward procedure will be drawn up by Department of Human Resource Management, assisted by Department of Info-Security Management, referring to Ulnfo-security Disclosure and Reward Procedure”.舉報獎勵具體作業辦法由資安管理部協助中央人資另擬，具體見資安事件舉報及獎勵作業 辦法。10.0 Input and Export 輸入輸出10.1 Input 輸入Name資料名稱Description 描述Remark 備註資安事件發生之通報通報資安事件（事件發生時間、經 過影響情況）可能為口頭講述或電子郵件描述10.2 Export 輸出Name資料名稱Description 描述Remark 備註安全事件通報受理記錄表由資安管理部負責記錄由事件發生 單位通告或者員工舉報的資安事件由資安管理部負責記錄處理小組人員名單應由事件發生單位、資訊服務單 位、 外部廠商及專業服務單位的相 關人員以及外聘專家/顧問人員組 成，可以專案架構形式。事件發生單位、事件處理小組上 報,資安管理部確定整理。資訊安全事件處理計劃書由資安管理部專人負責對相關資安 事件進行計劃起草並根據事件的 嚴重程度進行分類分級,制定出可 以執行的處理計劃資安管理部完成資訊安全事件處理報告書提出事件發生、處理過程及處理結 果、改善計劃等詳細報告事件發生單位、事件處理小組完 成11.1 Appendices and Attachments 附件11.2 Altus資訊安全事件通報記錄表11.3 Altus資訊安全事件處理計劃書11.4 Altus資安事件人事獎懲記錄表