1. Information Security Management Organization

In order to ensure the effective implementation of information security and data protection, the Company's Information Security Leadership Team is responsible for comprehensively coordinating and organizing personal information security and data security work, including: developing and updating privacy policies, researching/deploying/summarizing/coordinating information security work, formulating information security policies/goals/overall planning/resource investment, etc. The Information Security Working Team is responsible for implementing and providing feedback on control measures for information security and data security, establishing and maintaining information security procedures and operating manuals, evaluating & investigating security issues, and conducting information security inspections and audits. The Information Security Risk Assessment Team conducts an annual information security risk assessment to determine whether there are new threats or weaknesses, and to confirm whether new control measures need to be added.

Information Security Management Structure

2. Information Security Management Policy

In order to increase the information security management efforts of the Group, we have formulated information security management systems such as the Information Security Management System, Database Operation Management Specification, Information System Vulnerability Management Measures, and Emergency Plan for Sudden Information Network Events. And we have gradually established a management system that runs through the entire lifecycle of data security.

3. Prevention and Resolution of Data Loss and Disclosure

The Company has formulated the Emergency Response Plan of Unforeseen Information Network Incidents, and has established an emergency mechanism. We have determined the classification and grading of data leakage emergency events, and determined the conditions for initiating emergency plans. We regularly revise and improve emergency plans to ensure their timeliness. During the reporting period, our information system has been equipped with new technical measures, such as encryption and data privacy protection measures added by the Medical BU, to further prevent and mitigate the risk of data loss and leakage. The Information Security Leading Team is responsible for the unified deployment of information security incidents that occur in the information system, the unified mobilization of materials, and the emergency handling of information security.

4. Protecting Customer Data and Privacy

1. Privacy Policy

We have formulated the CTI Privacy Policy to ensure users' right to access, update, correct, and delete personal information. We guarantee that users' personal information will only be retained for the necessary period required to complete the service, and will not be shared with any company, organization, or individual other than CTI except for mandatory requirements by law or regulatory authorities and necessary scenarios specified in the privacy policy.

2. Access Permission

Customer data and information are mainly stored in the Group Laboratory Information Management System (LIMS), and the LIMS account has a dedicated user management interface that distinguishes different usage permissions based on user type. Through the role management mechanism of the system, we classify and customize functions such as accessing, modifying, and deleting data or files for users with different roles, and use cross management to achieve precise control of permissions.

3. CA Certification

We have performed signature encryption and electronic certification on electronic reports. CA certification adopts physical, electronic and management security protection measures in line with industry standards. It establishes a security system to ensure operational security during the process of information storage, usage, and access.

4. Honors for Network Information Security

We have been awarded the qualification of a cost evaluation institution, successfully selected as a list of mobile APP security technology support units by the Yunnan Internet Association, participated in drafting the communication industry standard: Overall Technical Requirements for IPv4 IPv6 Business Interoperability Based on Cloud Computing Technology, and selected as one of the first batch of data security industry expert committees and series of working groups of the Ministry of Industry and Information Technology of China. From a professional perspective, we provided support for ensuring customer privacy and data security.

5. Information Security Training for Employee

We require employees to sign the Employees’ Agreement on Confidentiality of Business Secrets when they join the company. And we organize information security training within one month of new employees’ entry. We offer mandatory courses on information security and privacy protection, such as Data Security and Privacy Protection and Network Security Awareness Training, on E-learning to enhance employees' awareness and ability to protect trade secrets, intellectual property, personal privacy, and customer data.

CTI Certification launched a series of lectures on Data Security Management Training - Understanding and Implementation of GB/T 41479 Information Security Technology Network Data Processing Security Requirements to help enterprises improve their data security management level.

6. Information Security Audit

According to the requirements of the Information Security Management System, the Company conducts an external risk assessment every two years and hires a third-party professional information security service agency to conduct information security risk assessment. We conduct vulnerability scanning and penetration test on information assets irregularly to find out weak risk issues.

We established a database audit system in the group data center to record and audit all database operations, ensuring that illegal modifications can be traced back. At the same time, we have launched a security awareness platform, which collects all security logs uniformly and conducts automated correlation analysis to maximize the prevention and resolution of data and privacy security risks.

We are gradually implementing ISO/IEC 27001 system certification nationwide. As of now, CTI's food rapid inspection and feed testing product line, and our subsidiary CTI Electronic Certification Co., Ltd., have been certified by the ISO/IEC 27001. Our CTI MALL, CTI Electronics Certification Service Platform, and the LIMS of Shanghai CTI-Medlab Co., Ltd. (CTI MedLab) have already obtained the L3 certification under the national multi-level protection scheme (MLPS).