The Group always strictly adheres to by the Cybersecurity Law of the People’s Republic of China (《中華人民共和國網絡安全法》), the Personal Information Protection Law of the People’s Republic of China (《中華人民共和國個人信息保護法》), the Civil Code of the People’s Republic of China (《中華人民共和國民法典》), and other laws and regulations. in accordance with the aforementioned laws and regulations, we have established the Group-wide internal management systems, including the Information System Data Backup and Recovery Management System (《信息系統數據備份與恢復管理制度》), the Information Security Incident Management System (《信息安全事件管理制度》) and the Information System Emergency Response Plan(《信息系統應急預案》) to safeguard information security. Zhongyan Property Management, a subsidiary of the Group, strictly complies with the Property Management Regulations of Beijing Municipality (《北京市物業管理條例》) and other relevant regulations and is committed to the principle of protecting the privacy of its customers. In addition, Zhongyan Property Management also has its employees sign confidentiality agreements and service commitment letters to ensure that the privacy of customers is fully protected during its property management services.
The executive management of the Group is responsible for approving security plans and security management systems, coordinating and directing the emergency response to information security incidents, and overseeing the execution of information security management. Heads and technicians of the information management department are responsible for the specific tasks of information security. Additionally, open channels are established to allow employees to report information security risks and potential hazards identified in their work processes. The Group places great emphasis on information security and integrates it into employee performance evaluations. Employees who violate information security or cybersecurity will face penalties in the form of downgrades in their performance ratings.
The Group continuously implements and optimizes the existing security protection measures and ensures that the operating systems are regularly updated with security patches based on the results of security scans. To further prevent disruptions of IT systems and cyber-attacks, the Group has formulated the Information System Emergency Response Plan of Beijing Enterprises Urban Resources Group (《北控城市資源集團信息系統應急預案》) as well as an off-site data backup strategy, setting up an effective emergency response mechanism and conducting two data recovery tests annually. In addition, the Group actively engages in third-party vulnerability analysis, using vulnerability scanning services (VSS) to scan application systems for vulnerabilities and generate analysis reports, and sending the reports to application system vendors for vulnerability fixes. Concurrently, we use enterprise host security (HSS) services to detect and fix host operating system security vulnerabilities, thereby enhancing our ability to handle information system security emergencies and ensuring business continuity and stability. At the same time, we periodically send security reminder emails to employees, alerting them to guard against viruses, phishing, fraud, and other email threats, maintaining vigilance and effectively preventing information risks.
In terms of technical means, to improve server security management, the group carried out technological upgrades in various aspects such as identity verification, access control, security audit, intrusion prevention, malicious prevention, and data integrity.
• Identity authentication: user identity identification is realized, and the security of identity authentication is improved by implementing unified identity authentication, strong password policy , multifactor authentication, etc.
• Access control: the servers of production system, test system and development system are divided into separate areas and isolated from each other. The access control of user behavior is carried out through the fortress machine, and the authority is allocated according to the minimum authorization principle.
• Security audit: through the audit function of the bastion host, based on the unique identification of the user’s identity system, from the user’s login to the system, the user’s operation behavior in the system is recorded in the whole process, and all operations of management systems the user on the target resources are monitored and audited to realize real-time detection and early warning of security events.
• Intrusion prevention: develop a baseline inspection strategy to detect and update system vulnerabilities in a timely manner. Allow intrusion detection, which can detect account brute force cracking, process abnormalities, website backdoors, abnormal logins, malicious processes, and other intrusion behaviors, and detect security threats in assets in real time. Allow the web application firewall to recognize and block web trojan upload, command/code injection, sensitive file access, third-party application vulnerability attacks, malicious crawler scanning, and other attacks.
• Malicious prevention: ensure that malicious programs are isolated, ensure that the identified malicious programs such as backdoors, trojans, worms are automatically isolated, and identify the security risks in the processing system automatically.
• Data integrity: the Group ensure to conduct daily backup of database and regular backup of server
To standardize the internal department system administrators’ review processes for accessing application system resources and further enhance employees’ information security awareness, the Group conducts in-depth analysis and exploration of application scenarios for cloud bastion host solutions. The aim is to achieve fine-grained control of permissions, ensure that resource operations leave a complete trace, effectively audit user actions, and trace and hold accountable for potential incidents. By strengthening operational procedures, we reduce the risk of illegal operations such as non-compliant actions and abuse of authority, ensuring information security and achieving a fully traceable information security accountability mechanism, thereby comprehensively improving the level of information security management.
The Group’s systems are hosted on a third-party cloud platform, which holds ISO 27001 Information Security Management System Certification and ISO 27017 Cloud Services Information Security Management System Certification, to further ensure the security of the Group’s data and information. Furthermore, the Group regularly undergoes digital audits and IT audits of its IT infrastructure and information security management system relevant to the financial statements audit conducted by external auditors. Based on the audit results, we continuously optimize our management level to ensure compliance and security.
