In 2021, our performance:
1. Information Security Management Organization
In order to ensure the effective implementation of information security and data protection, we have established an information security leading team headed by the CEO and vice president of IT department as the deputy head. The team is the highest organization for the group's information security work, being responsible for researching, making decisions, and coordinating major matters of the Group's information security work. The information security working team composed of information security engineers, system engineers, network engineers, and information security officers of various functional departments, business units, and branches, and is responsible for implementing and feeding back control measures for information security and data security. The specific management structure and division of responsibilities are as follows:
Information Security Management Structure
信息安全领导小组：Information Security Leading Team 组长 head 副组长deputy head 信息安全领导小组成员：Information Security Leading Team Members
信息安全工作小组：Information Security Working Team 组长 head 副组长deputy head 信息安全工作小组成员：Information Security Working Team Members
信息安全工程师information security engineers
各职能部门、事业部、分支机构信息安全员information security officers of various functional departments, business units, and branches,
Information Security Leading Team
Information Security Working Team
In addition, our Information Security Risk Assessment Team conducts information security risk assessments to adapt to changes in information assets every year. We determine whether new threats or weaknesses is existed and whether new control measures need to be added.
2. Information Security Management Policy
To strengthen the management of the group's information security and to ensure that the company's activities meeting the requirements of laws and regulations; and to protect data from unauthorized use or leakage, we have formulated the Management Specification of Database Operation, Management Measures of Information System User and Management System of Data Center and other relevant management systems, and according to the degree of data security risk, gradually adopt the world’s leading information security management standard framework, and establish a management system that runs through the entire life cycle of data security.
During the reporting period, we also formulated new rules and regulations such as the Management Measures for Vulnerability of Information System and Management System of Software Genuine Work. We reviewed the various chapters of the Management System of Information Security and Emergency Response Plan for Information Network Incidents. We also revised all related chapters to ensure that our information security management framework keeping update in a leading position.
3. Dealing with the Risk of Data Loss and Disclosure
In accordance with the The Cybersecurity Law of the People's Republic of China, Emergency Response Plan of National Network and Information Security Incident and other laws and regulations, and based on the working principle of "active defense, comprehensive prevention, rapid response and joint handling", we have formulated the Emergency Response Plan of Unforeseen Information Network Incidents. It clarified the classification of events and the conditions for activating the emergency plan. The information security leading team conducts unified leadership, deployment of work, and mobilization of personnel and materials for the resolution of various information security incidents occurred in the information system. The information security working team conducts emergency response according to its own responsibilities. Through the analysis of the current environment of network security, we believe that the highest risk of data leakage is when the data center is subjected to infiltration attacks from hacker groups. To prevent the occurrence of such risks, we have taken the following proactive and reactive countermeasures:
- We deployed firewalls, application firewalls and other security devices at the network boundary of the data center. We repaired and strengthened the vulnerabilities of host computers and application systems; and performed real-time and off-site backup of important data.
- At the technical level, we had deployed security systems such as anti-tampering systems of webpage, web application protection systems, operation and maintenance of security auditing systems. Those intrusion prevention systems could effectively protect against illegal attacks such as illegal tampering, illegal network requests and threat traffic.
- In daily operation and maintenance, the information security working team would conduct security checks in the steps of collection, storage, transmission, usage, provision and destruction of networks. Our important systems and databases could prevent hacker attacks and data leakage eventually.
- We regularly carried out emergency supporting training for data management personnel. We would also conduct all-rounded emergency response drill of information network every year with subsidiary company as a unit to improve emergency response capabilities.
- We had hired external professional organization to conduct penetration testing and risk assessment of information security on the company's intranet for discovering deficiencies in information security and strengthening the company's security protection measures.
4. Protecting Customer Data and Privacy
The customer data holding by us is resided primarily in the Group Laboratory Information Management System (LIMS). LIMS accounts have a dedicated user management interface which differentiates different user rights according to types of users. In addition, throughout the management mechanism of the system, we can classify and customize functions for users with different identities, including accessing, modifying and deleting data or files. We also use the cross management of users and roles to achieve precise control of assess permissions.
In order to strengthen the protection of customer privacy and information security, we have added CA electronic certification for electronic report seals and electronic signatures. CA certification adopts physical, electronic and management security protection measures in line with industry standards. It establishes a security system to ensure operational security during the process of information storage, usage and access.
- Access and modification of personal information: We guarantee the right of users to access, update, amend and delete personal information.
- Minimize data retention time: We will only retain the user's personal information for the period till completion of the service.
5. Information Security Training for Employee
We have clarified employee information security responsibilities when hiring employees. We require employees to sign the Employees' Agreement on Confidentiality of Business Secrets when they join the company. We organize information security training within one month of new employees' entry. On this basis, we will provide regular information security training on publicity for all employees to improve employees' awareness and ability to protect our business secrets, intellectual property, personal privacy and customer data.
During the reporting period, we added two compulsory E-learning courses on information security and privacy protection: "Data Security and Privacy Protection" and "Network Security Awareness Training". Those courses covered our employees in all business lines of the company.
6. Information Security Audit
We actively carry out internal and external audits of the information security management system. Our Management System of Information Security requires an external risk assessment every two years. During the reporting period, we hired an external professional organization to conduct an information security risk assessment of the company to identify risk weaknesses.
In addition, we build an information security management system in accordance with ISO/IEC 27001 standards. Now our rapid food inspection and feed product line and our subsidiary CTI Electronics Certification Co., Ltd. have been certified by the ISO/IEC 27001, and the rest divisions are undergoing or will soon start the certification. Our CTI MALL, CTI Electronics Certification Service Platform, and the LIMS of Shanghai CTI-Medlab Co., Ltd. (CTI MedLab) have already obtained the L3 certification under the national multi-level protection scheme (MLPS). During the reporting period, we started planning to carry out ISO/IEC 27001 certification. Starting from 2022, the ISO/IEC 27001 system certification will be gradually implemented in our subsidiaries.
In 2021, we conducted an information security review of our software development outsourcing supplier. During the reporting period, we launched a supplier information security and privacy protection improvement plan. It is expected to release management systems and measures for IT suppliers in 2022, in order to promote IT suppliers for the improvement on information security capabilities.