信息安全管理體系手冊Manual of Confidential information Management System
版本記錄Edition record
版本Edition 變更理由
Alteration reason 編寫
Audit   發(fā)布日期
Date issued 生效日期Effective date
1.0 版本建立   
    
    
    
    
    
    
    
    
    
    
    
    
批準人（簽名）：
Approved by (Sign):
日期:
Date:

 
信息安全管理體系手冊Manual of Management System of Confidential information
0. 信息安全管理體系目的Purpose of Management System of Confidential information
在評估相關信息安全風險后，公司實施安全策略和流程的主要目標是保護公司、客戶以及個人的信息和信息資產。本策略的目標是建立通用指導方針，在公司內維護受控的、與整個組織一致的信息機密性、完整性和有效性。After assessing the relevant risk of information safety, the safe tactics and main goal implemented by the company is to protect the personal information and information assets of company and customer. The goals of this tactics are to establish the common guiding principle for maintaining the confidentiality, integrality and validity of information controlled and consisted with the integral organization in the company.
本手冊按照ISO/IEC 27001:2005《信息安全管理體系要求》，并結合我公司管理的實際情況編寫，用于在合同條件下向客戶和第三方證明我公司的信息安全管理體系能滿足規(guī)定的標準。This manual is complied with the regulation of “Requirement of Management System of Confidential information” of ISO/IEC 27001:2005, and combining the formulation of the actual conditions of management of our company, used for proving that the Management System of Confidential information of our company can be satisfied and fixed to customer and the third party under the terms of the contract.
1. 信息安全管理體系方針Policy of Management System of Confidential information
滿足客戶要求，實施風險管理，確保信息安全，實現(xiàn)持續(xù)改進。Satisfy the requirements of consumers, implement risk management, guarantee information safety and realize sustainable improvement
為了保證各種信息資產的保密性、完整性、可用性，給客戶提供更加安心的服務，我們依據(jù)ISO/IEC27001:2005標準，建立信息安全管理體系，并承諾如下：In order to guarantee the confidentiality, integrality and usability of different information assets and provide more comfortable service for customer, we established Management System of Confidential information according to the regulation of ISO/IEC27001: 2005, and the detail content is as follows:
1) 在公司內各層次建立完整的信息安全管理組織機構，確定信息安全方針、安全目標和控制措施，明確信息安全的管理職責；Set up intact management organization of safety information in every level inside the company; confirm policy of information safety, confidential goal and control measure; define the management responsibilities of information safety;
2) 識別并滿足適用法律法規(guī)和客戶等相關方的信息安全要求；Discern and meet the requirements of information safety of the applicable laws and regulations and customer, etc.
3) 定期進行信息安全風險評估，ISMS評審，采取糾正預防措施，保證體系的持續(xù)有效性；Assessing the risk of information safety regularly, evaluating ISMS, applying the correct and precautionary measures, guarantee the sustainable validity of system;
4) 采用先進有效的設施和技術，處理、傳遞、儲存和保護各類信息；Adopt advanced and effective facilities and technologies; carry out, transmit, store and protect all types of information;
5) 對全體員工進行持續(xù)的信息安全教育和培訓，不斷增強員工信息安全意識和能力；Carry out the education and train of the sustainable information safety for the staff; continuously strengthen the consciousness and ability of information safety for the staff;
6) 制定并保持完善的業(yè)務連續(xù)性計劃，實現(xiàn)可持續(xù)發(fā)展。Formulate and maintain the perfect contingency planning of business; realize sustainable development.
7) 對于基本方針的適用性、充分性，結合實際狀況定期評審，必要時予以修訂。Base on the suitability and adequacy of basic policy, and combine the real situation carry out the regular evaluation; revise in case of necessity.
8) 公司根據(jù)信息安全管理體系方針制定各種策略。The company shall formulate various types of tactics according to the policy of Management System of Confidential information.
2. 信息安全管理體系范圍Range of Management System of Confidential information
信息安全管理體系覆蓋所有部門、員工、系統(tǒng)和網絡架構，還包括影響信息安全外部人員（供應商、客戶、其他相關第三方人員等）。The Management System of Confidential information shall cover all departments, staff, systems and network framework in company. It also includes influencing the external personnel of the information safety (supplier, customer, other personnel of relevant third parties, etc.).
2.1. 職責Duty
信息安全方針由信息安全經理負責，負有安全方針制定、評審和評價的管理職責。評審應包括評估組織信息安全方針改進的機會，和管理信息安全適應組織環(huán)境、業(yè)務狀況、法律條件或技術環(huán)境變化的方法。信息安全方針評審應考慮管理評審的結果The policy of information safety is under the care of manager of information safety, which is responsible for the establishment, evaluation and appraisal of management of safe policy. Evaluations is also include assessing and organizing the improved chance of the policy of information safety, manage information safety, and adopt the changing method of organizing environment, business status, legal condition or the technological environment. Evaluation of the policy of information safety should consider the result of management evaluation.
應每年在管理評審時或當重大變化發(fā)生時進行信息安全方針評審，以確保它持續(xù)的適宜性、充分性和有效性。It is required to carry on the evaluation of policy of information safety in annual management evaluation or when the great change takes place, so as to ensure confidentiality, integrality and validity of information.
3. 組織架構Organization framework
3.1. 公司組織架構圖Organization structure of company
  Organization structure of IAC Search & Media Company
HR department
IT department
Research department
Financial department
Management department

3.2. 信息安全管理組織架構Framework of management organization of information safety
信息安全委員會：Confidential Council of information:
主任： Director: Liang Zuomin
管理者代表：軍Representatives of administrators: Cao XueJun
成員： 方Members: Fang Qi, Yu Ling, Shi Yan, Lily Wang, Ye Jianxing, Huang Zhihua, Pan HangPing, Niuqing;

  Organization structure of the information safety committee of IAC Search & Media Company
Administrator representatives  Cao Xuejun
信息安全小組： Information safety group
組長：方琦Group leader: Fang Qi
成員：余凌、施燕、王莉莉、葉建鑫、黃志華、潘航平、柳菁Members: Yu Ling, Shi Yan, Lily Wang, Ye Jianxing, Huang Zhihua, Pan HangPing, Niuqing;
4. 信息安全管理體系框架Frame of the Management System of Confidential information
公司應根據(jù)整體業(yè)務活動和風險，開發(fā)、實施、保持并持續(xù)改進文件化的信息安全管理體系，將PDCA（Plan、Do、Check和Act）持續(xù)改進模型作為貫穿整個信息安全管理的主要指導思想。The company shall develop, implement, maintain and improve the document Management System of Confidential information continuously according to the activity and risk of integral business; take PDCA sustainable promoted model as the main guidelines through safety management of whole information (Plan, Do, Check and Act ).