Policy
Camel Group appointed a dedicated Chief Information Security Officer ( CISO) in January 2022. Under the new information security system, we strive to protect and improve information security for our customers through our products and services, while ensuring information security across the Camel Group.
We realize that the key element of information security management lies in people. The primary task of the company's information security is to raise the information security awareness of all employees and implement information security work for everyone through training, education, and clear responsibilities.
The method of information security management lies in control. Protecting sensitive information such as the company's R&D results, customer data, and company operating data is inseparable from good information security behavioral norms, clear division of labor, and implementation of technical control measures to ensure that there are processes, norms, tools, inspections, and improvements.
The goal of information security is to reduce risks. The guiding ideology of information security is to control the losses caused by information security incidents to an acceptable level and to establish information security control capabilities that are compatible with the development of business informatization.
The core of information security protection lies in production operations. All information security work must be carried out around production operations, and technical security measures must be taken to ensure the continuous and stable production and delivery of products.
Management structure
We have established an information security management organizational structure to comprehensively lead and preside over the company's information security management work. Regional information security personnel have been set up in various domestic and overseas branches to implement globally consistent security policies and measures, and to align the headquarters' policies with the specific security requirements of each country/region to strengthen information security through our global integrated system.
The Group Digital Center is responsible for the independent information security work of Camel Group headquarters and its branches and subsidiaries at home and abroad, and is responsible for supervising the maintenance and management of information security systems and strengthening CISO's control over relevant departments to achieve an ideal information security status. We ensure that each department has an Information Security Officer" who is responsible for supervising the management and protection of information.
Information security goals
In response to the country's efforts to build a cyber power and the rapid increase in more technical and complex cyber attacks, strengthening information security has become a pressing issue for countries and enterprises.
We have set information security goals, as described below.
Confidentiality goal: To ensure that the company's top secret, confidential information, materials, samples and other important assets are not disclosed to unauthorized personnel. The number of information leaks per year: ≤ 4 times/year;
Integrity goal: The company's production data is lost due to various reasons: less than or equal to 1 time/year, and the amount of lost data shall not exceed 24 hours at most, that is, RPO ≤ 24 hours;
Availability target: The core business system shall be provided with 24/7 service, 365 days a year, with an interruption time of no more than 526 minutes per year.
Compliance: Comply with global information security laws and regulations, and do not incur fines for violations;
Information security awareness training covers all employees, with a training coverage rate of 100%;
To achieve this goal, we respond to cyber-attacks through the continuous development of advanced information security, and strive to enhance the information security awareness of employees, and regularly organize information security training and publicity. We are working with relevant departments and employees to develop processes, rules and systems to promote cyber security, and strive to strengthen the information security of the entire Camel Group and provide a safer business environment for our customers and partners.
Management measures
In order to continuously improve the company's information security management capabilities and form a sustainable competitive advantage to support the company's development, we have introduced a series of information security-related management systems and implemented them as required in accordance with ISO/IEC 27001:2022/GB/T 22080 "Information Security, Network Security and Privacy Protection Information Security Management System Requirements" and ISO/IEC 27002:2022/GB/T 22081 "Information Security, Network Security and Privacy Protection Information Security Control" and VDA ISA (TISAX) requirements. The company has obtained the TSAX information security certification with a very high protection label (Trusted Information Security Exchange), established an information security management system and complies with the requirements of VDA ISA .
Under the leadership of the Information Security Leadership Office and CISO, we organize information security internal audit activities every year, conduct comprehensive identification and risk assessment of the company's information assets, and output information asset risk assessment tables, risk assessment reports, and residual risk instructions reports. The relevant departments within the company conduct objective and visual audits of information management and information system security-related risks and deal with them in a timely manner to meet the organization's information security management requirements. In the case of critical systems or information, the organization controlled by the CISO conducts direct inspections to more accurately and objectively confirm the risk content.
We have formulated a group business impact analysis report and a three-year business continuity drill plan, prepared emergency plans, conducted emergency drills, and issued emergency drill reports to ensure the safe and stable operation of core and key business systems and guarantee business continuity.
We conduct information security training courses for all employees to enhance their information security awareness, cultivate an organizational culture of independent information security measures (taking proactive actions), and keep records and reports of information security incidents. We publish company-wide information security testing reports every month and inform about information security activities.
We have developed multiple backup strategies and purchased professional backup tools to perform local backup, off-site backup, and tape backup. We provide backup reports every day and conduct backup and recovery drills to ensure that the company's data loss is ≤ 24 hours, and RPO = 24h
In order to improve the network security level of Camel Group, a security system protection framework was designed.
Technical measures
Complete access control
A complete internal and external access control system has been established based on the zero-trust control center, and access behaviors are continuously monitored and adjusted to build a unified identity authentication system for the entire network.
1. The network partitioning and zoning are further refined, the export firewall is redundant, and the reliability is further improved.
2. Before internal/external network access users access the network, terminal security baseline checks and access capabilities have been added.
3. For internal/external network access users in the network, the ability to perform identity-based access control, continuous monitoring of user behavior, and dynamic reduction of access rights have been added to assist customers in smoothly transitioning to a zero-trust architecture.
4. Added network-wide device log auditing to record every access process for easy post-audit and tracing
5. Unified identity authentication platform realizes one-time authentication and full network access
Accurate threat detection system
1. The cloud (XDR) + network (situation) + terminal (EDR) all-round threat inspection system greatly reduces false alarms , improves the accuracy of threat monitoring, and completely traces the attack chain.
2. Cloud, network, and terminal linkage event handling reduces the difficulty of closing the loop of security incidents, and relies on the cloud-based XDR platform capabilities to expand the ability to obtain threat intelligence and synchronize similar security incidents across the country.
Security Monitoring and Operations
1. The cloud-based "platform + people" is used to achieve 7*24 hours of uninterrupted security incident monitoring and handling.
2. Proactively identify and resolve problems, optimize the network security system, and achieve proactive defense.
3. The security perception management platform SIP integrates the two major scenario capabilities of "security operation" and "advanced threat detection", aiming to build a big data intelligent security analysis platform for users that integrates detection, visualization, and response, making network security perceptible and easy to operate, and quickly linking security incidents in a closed loop.
Vulnerability Management
Based on IT asset management information, we provide vulnerability scanning mechanisms in systems that are exposed to the Internet from the outside, conduct penetration tests, actively participate in attack and defense drills, and take corrective measures triggered by vulnerability detection. We have established a mechanism to ensure that vulnerabilities in systems that are not exposed to the Internet are completely resolved by regularly updating IT asset management information, checking against the vulnerability database, and issuing fines (corrective tasks) to the responsible departments when serious vulnerabilities occur.
Threat Intelligence and External Attack Surface Management
With the continuous evolution of Internet technology, external attack surfaces have become more complex. Some of Camel Group's external business systems are open to the Internet and suppliers, third parties and users, which has led to the exposure of internal information assets on the Internet, posing great security risks. In response to the external exposure surface that cannot be converged, an external attack surface management system is established to carry out Internet exposure surface governance, fully understand the Internet exposure surface, and reduce the potential risk of losses that may be exploited by attackers. Camel Group has established an external attack surface management system based on four dimensions: asset discovery, efficient identification, impact assessment, and continuous monitoring. From the perspective of attackers, it summarizes the attack entrances that are most easily breached and exploited, promptly discovers and repairs potential security risks, and improves its own security.
Information security incident response
As a company that supports our customers' safe and secure business activities, we have established information security incident management systems and processes so that our organization can quickly respond, recover and notify when an information security incident occurs.
Before handling an incident, it should be determined whether it is a particularly major incident. If the emergency trigger conditions are met, it should be handled according to the emergency plan. Other situations should be handled according to the normal handling process.
After receiving information about attacks and vulnerabilities, we will take measures to develop a system recovery plan, including appropriate incident handling, patch application plans and business continuity plans (BCP) for the affected products or systems. If it cannot be completed as expected or it is found that the actual situation does not match the rating, the incident should be re-rated.
To ensure accountability to our stakeholders, we work hard to properly share and report incident information.
For security incidents suspected of being illegal or at an emergency level, the Information Security Executive Office should contact legal and audit personnel to analyze the incident, and after consultation among multiple departments, carry out regulatory reporting, cooperate with law enforcement, or file lawsuits.
Regularly conduct information security incident response education and training, publish information security detection reports to enhance employee awareness, and implement improvement activities.
Responding to security incidents requires an accurate technical understanding of the incident through log analysis, malware analysis, disk forensics, and other methods. It also requires determining overall policies and working with relevant parties inside and outside the company.
At the same time, we have been accumulating information about attackers ‘tools, processes, and access methods, and improving the technical knowledge and skills of response team members through continuous training. This includes upgrading our organizational structure, rules and processes, and accumulating expertise so that we can speed up our response and minimize the impact.
Disposal plan | Information security incident level | |||
Particularly serious incidents | Serious incidents | General events (events) | Minor incidents | |
Level I | Level II | Level III | Level IV | |
Response time | 30 minutes | 1 hour | 2 hours | 4 hours |
Recovery Time | 4 hours | 8 hours | 24 hours | 48 hours |
Report Object | Information Security Leadership Office | Information Security Leadership Office | Information Security Management Office | Information Security Executive Office |
Event Summary | <Information Security Incident Handling Report> | <Information Security Incident Handling Report> | / | / |
<Information Security Incident Record Sheet> | <Information Security Incident Record Sheet> | <Information Security Incident Record Sheet> | <Information Security Incident Record Sheet> | |
Information Governance
Personal Information Protection
Camel Group has established a global personal information protection system to strengthen the protection of personal data. Under the direct control of the Chief Information Security Officer and the Legal Department, we work with each region and group company to comply with the laws and regulations of each country, including GDPR.
GDPR: General Data Protection Regulation
European legislation that came into effect on May 25, 2018, requiring companies, organizations, and groups to protect personal data.
Rules for transferring personal data outside the European Economic Area (EEA), obligations to report data breaches within 72 hours, etc. We are working to minimize security risks through a multi-faceted approach to strengthen global security governance.
Safety education and training
In addition to basic education in information management and cyber security, we also fully disseminate lessons learned from the latest trends and incident response. We enhance the skills of professionals through internal and external training as well as attack and defense drills. We train our employees on incident response. For example, every year we provide practical training and emergency drills in accident scenarios for engineers and business personnel involved in business and internal operations. In the event of an incident with social impact, we also conduct incident training for executives and relevant departments to ensure rapid response and minimize the impact.
Camel Group will continue to work hard to cultivate digital culture and information security awareness, have CISOs and the organizations they directly control share information regularly within the company, assign security managers to support each department, and strengthen human resource development, with several Certified Information Security Professionals (CISPs). We strive to protect and improve information security for our customers through our products and services, while ensuring information security for the entire Camel Group.
