We are aware that due to business needs, CTI is receiving or possessing massive customer information and data. Hence, we regard the protection of customer information, data, and privacy as an integral part of operation and management, as well as a pledge to each and every partner. We keep abreast of the developments in information security and data protection. On the basis of compliance, we are gradually improving our information security architecture to address ever-changing cyberattacks, and timely identify, warn, intercept, and handle high-risk information security incidents.
We have set up such policies as the Information Security Management Regulations and the Procedure for Protecting Customer Secrets and Ownership Rights, and formed an information security leading group to be responsible for monitoring information security within the Group. Every year, our information security team assesses information security risks to adapt to changes in information assets, and determine whether there are new threats or vulnerabilities, and whether it is necessary to develop new control measures. The information security responsibilities of employees are stated at the time of hiring, and new recruits are organized to join in information security training within one month after onboarding. Apart from that, we organize regular information security training and publicity activities for all employees to improve their awareness and ability to safeguard business secrets, intellectual property rights, personal privacy and customer data.
We try our best to keep the data collected transparent and open on the premise of compliance and controllability, and protect such data from unauthorized use or leakage. To this end, we have drafted data security regulations such as the Database Operation Management Regulations, the Measures for User Management in Information Systems, and the Management Regulations in Data Centers. Also a management system that runs through the entire life cycle of data security has been built up, as we are applying world leading frameworks of information security management standards step by step, according to the risk levels of data security. Now our rapid food inspection and feed product line and our wholly-owned subsidiary CTI Network Security Certificate Authority Co., Ltd. have been certified by the ISO/IEC 27001, and the rest divisions are undergoing or will soon start the certification. Our CTI MALL, CTI Electronics Certification Service Platform, and the LIMS of Shanghai CTI-Medlab Co., Ltd. (CTI MedLab) have already obtained the L3 certification under the national multi-level protection of information security scheme .
Data Loss or Leakage
Upon analysis of current cybersecurity environments, we believe that the scenario with the highest risk of data leakage is data centers suffering from infiltration by hacker groups. To prevent such risks, we have deployed security devices such as firewalls and application firewalls at the network boundary of our data centers. For the vulnerabilities of hosts and application systems, we make repairs and reinforce security, with important data under real-time and off-site backup.
In daily O&M, our information security team carries out security investigations into the collection, storage, transmission, use, provision, and disposal of networks, important systems, and databases to prevent hacker attacks and data leakage. Also, we are planning to hire external professional organizations for penetration testing and risk assessment on our intranet to discover deficiencies in information security and strengthen protection measures accordingly.
The customer data we possess is mostly stored in the Group’s Laboratory Information Management System (LIMS). The LIMS offers a dedicated user management interface, which distinguishes permissions according to user types. Through the system’s role management mechanism, we classify and customize functions for different roles, including the access, change, and deletion of data or files. The cross management of users and roles is used to enable the precise control of permissions.
Following the principle of “active defense, comprehensive prevention, rapid response, and joint handling,” we have established the Response Plan for Emergency Information Network Incidents and an emergency response mechanism. The two have specified how to determine the category and level of security incidents, and the conditions for initiating emergency plans. The information security leading group leads in the resolution of security incidents that take place in information systems, by making arrangements and allocating personnel and supplies in a unified manner; while the information security team makes emergency response according to its responsibilities. In daily O&M, we organize regular emergency training and offensive-defensive drills to improve emergency response capabilities.