|
HW供应商信息安全管理体系自检表,仅供参考。
Information and Instructions通知和说明书
PURPOSE目的
To provide a standardized guidance for the evaluation of a supplier's information security management system included.
本供应商信息安全管理体系自检表&考察报告旨在提供一个标准化的指引,用以评估供应商信息安全管理体系状况。
SCOPE范围
The HUAWEI Information Security Systems Audit is applicable to the self-check and Huawei audit of Huawei's customization and EMS suppliers and suppliers to be qualified.
本供应商信息安全管理体系自检&考察报告适用于华为定制件及EMS供应商以及华为待认证供应商自检及认证。
AUDIT BY SELF ASSESSMENT自我评估稽核
"1) Supplier is required to complete a self-assessment using this tool in advance of the HUAWEI Audit, scoring the information security management system based on the scoring criteria and providing appropriate evidence as required.
2) The self-check report shall be signed by the internal auditor, reviewer (middle-level manager of information security), and approver (high-level manager of information security, specifically the (deputy) general manager of security or the representative of security managers or above)."
"1)供应商需要在华为稽核之前用该工具进行自我评估,并参照评分标准进行评分,提供相应证据。
2)自检结束后须内审员、审核人和批准人签署,要求报告审核人为主管信息安全的中层主管,批准人为主管信息安全的高层主管(分管安全的(副)总经理或安全管理者代表以上)。"
AUDIT BY HUAWEI华为稽核
During the audit process, It takes 2 person days to complete the whole process including on-site audit, document review, and interview with management and employees.
在华为正式稽核过程中,本考察报告模板及Checklist设计为两人天版本,审核方式包括现场检查,文件审阅,管理层、员工访谈。
AUDIT FINDINGS CLASSIFICATION 审核发现分类
"Audit findings are classified into the following three groups by severity of information security risks:
(1) Major problems: prohibitions (super high risk), for example, any competitor of Huawei visits Huawei special zones or physically separate areas.
(2) Major nonconformities: restrictions (high risk), for example, for the computer used to receive Huawei's documents, the USB or any other port is not disabled, or the permission to access the server or public disk is not controlled.
(3) Minor nonconformities: normal nonconformities (medium/low risk), for example, no regulations on information security are formulated. "
"基于信息安全风险的大小,审核发现的问题分为以下三类:
1)重大问题项:即高压线问题,为超高风险,如:华为竞争对手参观华为专区或物理隔离区等。
2)严重不符合项:即限制性问题,为高风险,如:接收华为文档的计算机未封闭USB等端口,服务器或公共盘未设置访问权限等。
3)次要不符合项:即一般性不符合问题,为中低风险,如:未制定信息安全管理要求等。"
|
|