中国建筑数据安全与个人信息保护政策

The Data Security and Personal Information Protection Policy of China State Construction Engineering Corporation Limited

 

一、概述

I. Overview

国产在线精品观看免费观看（以下简称“中国建筑”或“本公司”）在网络与数据安全管理工作中，秉持“统一领导、分级负责；统筹规划、持续改进；综合防范、技管并重；全员参与、加强意识”方针，严格遵守《中华人民共和国网络安全法》、《中华人民共和国数据安全法》、国家网络安全等级保护制度等法律法规中的数据安全要求，建立健全数据安全管理体系，实施数据安全风险管控。中国建筑数据安全与个人信息保护政策要点（以下简称“本政策”）旨在确保本公司信息资产的保密性、完整性和可用性，保护本公司的商业利益、客户隐私以及维护公司的声誉。

China State Construction Engineering Corporation Limited (hereinafter referred to as “CSCEC” or “the Company”) abides by the guideline of “unified leadership with hierarchical accountability; overall planning with continuous optimization; comprehensive risks prevention with equal emphasis on management and technology; and full participation with enhanced awareness” in its cybersecurity and data security management practices. The Company strictly complies with applicable laws and regulations governing data security, including the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, national Multi-Level Protection Scheme (MLPS) and other statutory data security requirements, the Company develops and iterates its data security governance system and delivers full-lifecycle data security risk control. The Key Points of the Data Security and Personal Information Protection Management Policy of CSCEC (hereinafter referred to as “this Policy”) are intended to ensure the confidentiality, integrity, and availability of the Company’s information assets, safeguard the Company’s business interests and customer privacy, and protect the Company’s reputation.

二、政策适用范围

II. Scope of Application

本政策规定适用于本公司及派出机构、各子公司。海外机构可按所在地区的相关网络安全法规的具体要求，在执行本规定时适当修改。特殊领域可按对口上级单位的具体要求，参照执行本规定中的具体要求。公司鼓励所有董事、高级管理层及员工，以及价值链伙伴（包括服务提供商、供应商、合作伙伴等）遵循本政策，共同保护信息与隐私安全。

This Policy applies to the Company, its field offices, and all subsidiaries. Overseas entities may make appropriate adjustments when implementing this Policy in accordance with the specific requirements of applicable cybersecurity laws and regulations in their respective jurisdictions. Entities operating in special sectors may, based on the specific requirements of their competent supervisory authorities, implement the relevant provisions of this Policy by reference. The Company encourages all directors, senior management personnel, employees, and value chain partners, including service providers, contractors/subcontractors/suppliers, and business partners, to adhere to this Policy and jointly safeguard information and privacy security.

叁、管理组织架构

III. Organizational Structure

公司建立覆盖董事会、高级管理层、各级机构、各部门的数据安全治理架构，公司设立数字化和网络安全领导小组、数字化和网络安全工作小组、信息化管理部门、信息中心等组织机构。数字化和网络安全领导小组，由董事长担任组长、多名董事及高级管理团队作为主要成员，是数据安全管理工作的最高领导机构，根据监管规定和公司规章履行数据安全管理相关职责，定期听取数据安全情况汇报并做出重大决策部署，全面负责网络安全工作。数字化和网络安全工作小组负责网络安全工作的推进与落实，协调网络安全保护和重要事件处置工作。信息化管理部门是负责网络安全管理工作的日常机构，承担网络安全管理职能。信息中心负责执行信息化管理部交办的各项工作，提供网络安全建设与运营等技术服务。相关业务部门/派出机构负责本部门/派出机构相关业务信息系统建设与使用过程中与网络安全相关工作的管理，配合落实完成网络安全各项工作，并承担相应网络安全责任。各子公司参照股份公司网络安全机构建立本公司网络安全组织并报股份公司备案。

The Company has established a data security governance framework covering the Board of Directors, senior management, entities at all levels, and various departments. The Company has established dedicated organizational bodies, including the Leading Group on Digitalization and Cybersecurity, the Working Group on Digitalization and Cybersecurity, the Information Technology Management Department, and the Information Center. The Leading Group on Digitalization and Cybersecurity serves as the highest governing body for data security management. It is chaired by the Chairman of the Board and comprises multiple directors and members of the senior management team. In accordance with regulatory requirements and the Company’s internal policies, the Leading Group performs responsibilities related to data security management, regularly reviews reports on data security, makes major strategic decisions and arrangements, and assumes overall responsibility for cybersecurity matters. The Working Group on Digitalization and Cybersecurity is responsible for advancing and implementing cybersecurity initiatives, as well as coordinating cybersecurity protection activities and the handling of significant cybersecurity incidents. The Information Technology Management Department serves as the standing body responsible for cybersecurity management and performs related management functions. The Information Center is responsible for carrying out tasks assigned by the Information Technology Management Department and providing technical services related to cybersecurity development and operations. Relevant business departments and representative offices are responsible for managing cybersecurity-related matters associated with the development and use of the business information systems under their administration, supporting the implementation of cybersecurity measures, and assuming corresponding cybersecurity responsibilities. Each subsidiary shall establish its own cybersecurity organization by reference to the cybersecurity organizational framework of the Company and file the relevant information with the Company for record purposes.

公司董事长为本公司网络安全与数据安全第一责任人，分管网络安全与数据安全的公司高级管理人员为直接责任人，每年向高管层报告网络安全与数据安全管理工作和责任落实情况。

The Chairman of the Company serves as the primary person-in-charge for cybersecurity and data security. The senior management executive in charge of cybersecurity and data security serves as the directly accountable person. The status of cybersecurity and data security management, as well as the fulfillment of related responsibilities, shall be reported to the senior management annually.

四、信息安全管理承诺与行动

IV. Information Security Management Commitments and Actions

中国建筑承诺不断推进信息安全管理体系完善、升级，定期对网络安全制度的有效性进行程序化、周期性评审，在必要情况下由信息化管理部组织对网络安全制度有针对性地修订与完善，修订后的制度报公司总经理办公会审议，确保信息安全政策能够科学有效。

CSCEC is committed to continuously enhancing and upgrading its information security management system. The Company conducts procedural and periodic reviews of the effectiveness of its cybersecurity policies on a regular basis. Where necessary, the Information Technology Management Department organizes targeted revisions and improvements to relevant cybersecurity policies. Revised policies shall be submitted to the General Manager’s Office Meeting for consideration to ensure that information security policies remain scientifically sound and effective.

1.信息安全管理体系审核

1. Information Security Management System Audits

公司遵循国际认可的信息安全管理体系认证标准（ISO/IEC27001）和国家网络安全等级保护基本制度，每年组织一次信息安全管理体系内审、管理评审，由信息化管理部门组织执行，审核内容包括现有网络安全技术措施的有效性、网络安全配置与网络安全策略的一致性、网络安全管理制度的执行情况、网络安全策略及网络安全记录有效性、系统漏洞和数据备份情况等。外部检查包括网络安全执法检查及行业监管检查。每年邀请具有IAF、CNAS、CMA资质的专业机构开展信息安全管理体系及信息系统安全审计。

The Company follows internationally recognized information security management system certification standards (ISO/IEC 27001) and the national basic system for Classified Protection of Cybersecurity (MLPS). An internal audit and management review of the information security management system are conducted annually under the organization of the Information Technology Management Department. The audit covers, among other matters, the effectiveness of existing cybersecurity technical measures, the consistency between cybersecurity configurations and cybersecurity policies, the implementation of the cybersecurity management system, the effectiveness of cybersecurity policies and cybersecurity records, system vulnerabilities, and data backup arrangements. External reviews include cybersecurity law enforcement spot-checks and industry regulatory inspections. Each year, the Company engages third-party certification institutions accredited by IAF, CNAS, and CMA to conduct information security management system audits and information system security audits.

2.信息安全风险管理

2. Information Security Risk Management

公司每年对重要信息系统进行一次全面的风险评估，在重大活动或敏感时期，根据需要对信息系统启动专项评估，评估方式分为自评估和第叁方评估两种方式，并根据风险评估结果实施整改。公司定期开展漏洞扫描与评测，识别网络安全漏洞和隐患，对发现的数据缺陷、网络安全漏洞和隐患及时评估和修补，对暂时不能修复的网络安全漏洞和隐患，须采取其他有效防护措施，降低风险。

The Company conducts a comprehensive risk assessment of its critical information systems once each year. During major events or sensitive periods, special assessments of information systems may be initiated as necessary. Risk assessments may be conducted through either self-assessment or third-party assessment, and corrective actions shall be implemented based on the assessment results. The Company regularly carries out vulnerability scanning and security testing to identify cybersecurity vulnerabilities and risks. Any identified data deficiencies, cybersecurity vulnerabilities, and security risks shall be promptly assessed and remediated. Where vulnerabilities or risks cannot be immediately resolved, other effective protective measures shall be implemented to mitigate the associated risks.

3.数据安全管理

3. Data Security Management

公司制定《国产在线精品观看免费观看数据管理办法》，依据管理办法要求，对数据进行分类分级，明确不同分类、分级数据的全流程管控要求。

The Company has formulated the Measures for Data Management of China State Construction Engineering Corporation Ltd., under which data are categorized and classified according to their content and intended use, with full-lifecycle control requirements established for different categories and classification of data.

数据采集阶段明确数据的收集获取源、数据收集的范围和频度，确保数据收集和获取范围仅限业务所需的数据。对数据收集和获取环境（如采集渠道）、设施和技术采取必要的管控措施，避免数据采集过程中的数据丢失、泄漏等风险。数据传输阶段根据数据的分级，敏感数据在传输时应经过加密处理，个人隐私数据必须加密处理。

During the data collection phase, the sources, scope, and frequency of data collection and acquisition shall be clearly defined to ensure that only data necessary for business operations are collected and acquired. Necessary controls shall be implemented over the data collection and acquisition environment (such as collection channels), facilities, and technologies to avoid risks such as data loss and leakage during the data collection process. During the data transmission phase, data shall be protected in accordance with their classification levels. Sensitive data should be encrypted during transmission, and personal information must be encrypted during transmission.

数据交换阶段应根据业务需要限定数据交换范围，采用安全可靠的技术进行数据交换，避免数据交换过程中的数据丢失、泄漏等风险。

During the data exchange phase, the scope of data exchange shall be limited according to business needs. Secure and reliable technologies shall be adopted to facilitate data exchange and mitigate risks such as data loss and data leakage during the exchange process.

数据存储阶段根据数据的分级，敏感数据应加密存储，个人隐私数据必须加密存储。

During the data storage phase, data shall be protected in accordance with their classification levels. Sensitive data shall be stored in encrypted form, and personal information must be encrypted when stored.

数据处理阶段处理个人隐私数据或敏感数据时，应进行数据匿名化/去标识化处理或进行数据脱敏，避免数据在处理过程中被泄露、破坏。

During the data processing phase, personal information or sensitive data shall undergo anonymization, de-identification or desensitization before processing to preclude unauthorized disclosure or tampering.

数据销毁阶段：依照数据分类分级建立相应的数据销毁机制，设置销毁相关监督角色，监督操作过程。

During the data destruction phase, appropriate data destruction mechanisms shall be established based on data classification and grading requirements. Relevant supervisory roles shall be designated to oversee and monitor the destruction process.

4.客户个人信息保护

4. Protection of Customers’ Personal Information

公司规定在客户个人信息数据收集阶段需告知数据主体的处理目的、处理方式、安全管理措施来处理个人信息，未获得数据主体明确同意前，不得违背告知详情。如因业务需要发生变化，变更或扩大数据处理目的、处理方式，需及时告知数据主体，并获取其明确同意。处理个人信息或敏感数据时，要进行数据匿名化/去标识化处理或进行数据脱敏，避免数据在处理过程中被泄露、破坏。数据使用者须保证其所使用数据来源的合法合规性，不得私自拷贝、使用、传播、保存与自己工作无关的数据。对于个人信息，如因特殊原因，在超出数据存储期限后无法完全销毁数据，则应进行去标识化处理，避免留存数据仍可被识别到个人。

The Company requires that, during the collection of customers’ personal information, data subjects be informed of the purposes of processing, processing methods, and security management measures applicable to their personal information. Prior to obtaining the explicit consent of the data subject, personal information shall not be processed beyond the previously communicated particulars. Where changes in business requirements necessitate modification or expansion of the purposes or methods of personal information processing, the data subject shall be promptly informed, and explicit consent shall be obtained. When processing personal information or sensitive data, anonymization, de-identification, or data desensitization measures shall be implemented to prevent data from being disclosed or compromised during processing. Data users shall ensure that the data they use are obtained from lawful and compliant sources and shall not copy, use, disseminate, or retain data unrelated to their job responsibilities without authorization. Where personal information cannot be completely destroyed after the expiration of the applicable retention period due to special circumstances, de-identification measures shall be applied to ensure that any retained data can no longer be used to identify specific individuals.

5.业务连续性保障

5. Business Continuity Assurance

公司通过灾难备份与恢复管理、巡检值班管理来确保业务连续性。根据数据的重要性和数据对系统运行的影响，制定数据的备份和恢复策略、备份和恢复程序等。制定巡检值班管理机制，定期对机房、服务器、数据库、网络设备、系统、日志等进行巡检，确保业务连续性开展。

The Company ensures business continuity through disaster backup and recovery management, as well as inspection and duty management mechanisms. Based on the importance of data and its impact on system operations, the Company has established data backup and recovery strategies, procedures, and related measures. The Company has also  established an inspection and duty management mechanism under which regular inspections are conducted on computer rooms, servers, databases, network devices, systems, and logs to ensure the continuous operation of business activities.

6.信息安全培训

6. Information Security Training

加强对全体员工的信息保护义务、风险和行为规则的教育和培训，提高员工信息保护意识和责任意识，入职时落实签订《保密协议》，并开展安全教育。对涉及公司商业秘密及工作秘密的岗位人员，做好劳动合同管理及人员培训工作。定期对网络安全关键岗位人员开展专业技术培训，并进行书面考核。公司还会对外部人员进行网络安全宣贯，确保其知悉并遵守公司网络安全相关制度。

The Company strengthens education and training for all employees regarding information protection obligations, risks, and behavioral requirements in order to enhance their information protection awareness and accountability. Upon onboarding, employees are required to sign a Confidentiality Agreement and receive security awareness training. For personnel whose positions involve access to the Company’s trade secrets and confidential business information, the Company implements appropriate employment contract management and personnel training measures. Professional technical training is provided regularly to personnel occupying cybersecurity-critical positions, and written assessments are conducted accordingly. The Company also provides cybersecurity awareness enhancement training for external personnel to ensure that they understand and comply with the Company’s cybersecurity-related policies.

7.全体员工主体责任

7. Primary Responsibilities of All Employees

全体员工均为信息安全管理的监督参与者。全体员工均应当严格遵守本公司信息安全与保密管理相关制度，主动履行信息安全管理自身责任。员工发现对业务造成影响的异常情况向信息中心报告，网络安全运维人员通过监控工具发现安全告警向信息中心报告。

All employees are participants in the oversight of information security management, and shall strictly comply with the Company’s information security and confidentiality management policies and proactively fulfill their individual information security responsibilities. Employees who identify abnormal situations that may affect business operations shall report such incidents to the Information Center. Cybersecurity operations and maintenance personnel who identify security alerts through monitoring tools shall likewise report them to the Information Center.

8.合作伙伴管理

8. Partner Management

公司要求合作伙伴（包括供应商）应确保其网络安全防护能力符合国家相关规定，并符合《国产在线精品观看免费观看总部外部服务机构选聘管理办法》相关要求。公司通过与供应商签订网络安全责任书、服务协议及保密协议，明确其网络安全责任及所需履行的网络安全义务，并对其进行监督和管理。公司定期监督、评审和审核供应商提供的服务，并对其变更服务内容加以控制，以免影响服务内容的安全性。

The Company requires its partners, including suppliers, to ensure that their cybersecurity protection capabilities comply with applicable national requirements and satisfy the relevant provisions of the Measures for the Selection and Engagement of External Service Providers at the Headquarters of China State Construction Engineering Corporation Ltd. Through cybersecurity responsibility commitments, service agreements, and confidentiality agreements entered into with suppliers, the Company clearly defines their cybersecurity responsibilities and obligations and conducts corresponding supervision and management. The Company regularly monitors, evaluates, and audits services provided by suppliers and exercises control over changes to service content to prevent any adverse impact on the security of such services.

五、信息安全问题举报渠道

V. Information Security Incident Reporting Channels

公司建立网络安全事件报告热线电话，全体员工履行自身员工网络安全责任，主动报告钓鱼邮件、有害信息等事件线索，信息安全团队全天候专人值守，实时记录报告情况并启动事件调查程序，确保可疑事件上报渠道畅通、响应处置高效。公司设立24小时值班电话，受理客户及社会公众的信息安全事件投诉与举报。

The Company has established a cybersecurity incident reporting hotline. All employees are obligated to report suspicious clues such as phishing emails and malicious information. The in-house cybersecurity team maintains round-the-clock on-duty service to archive incoming reports and launch instant investigation for efficient incident disposal. The Company has also established a 24-hour hotline to receive complaints and reports concerning information security incidents from customers and the general public.

本公司将根据国家政策、监管要求、行业发展和内部情况，对相关政策适时进行修订更新。

The Company reserves the right to revise and update relevant policies as appropriate in response to national policies, regulatory requirements, industry developments, and internal conditions.