This Policy establishes the responsibilities of the Response Team of the Beijing Center for handling all aspects of a Data Breach Incdent, and applies to all Personnel of the Beijing Center.
I. Introduction
The Beijing Center is committed to compliance with all applicable national and local laws and regulations relating to the protection of cyber security, data security and personal information, including without limitation the Cyber Security Law, the Data Security Law and the Personal Information Protection Law of the People’s Republic of China.
This Policy establishes measures that must be taken to report and respond to a Data Breach Incident, including the determination of the systems affected, whether any protected data have in fact been compromised, what specific data were compromised and what actions are required for forensic investigation and legal compliance.
Capitalized terms used herein are defined in Part IV below.
II. Policy History
The effective date of this Policy is March 20, 2023.
III. Policy Text
A. Reporting
The Information Security Department is responsible for monitoring and detecting Data Breach Incidents. Personnel of the Beijing Center should report any Data Breach Incident that they are aware of to the Information Security Department via the contact information set forth in Section D below immediately in order to mitigate the risk to information resources and protect the Beijing Center’s operations.
B. Response Team
Upon receipt of such report, the head of the Information Security Department and the head of the Legal Department or his or her delegate will convene the response team (“Response Team”).
The Response Team consists of representatives of the following units:
- Information Security Department
- Legal Department
- Public Affairs Department
- Human Resources Department
- Department(s) affected by the Data Breach Incident
The following lists the general responsibilities of the members of the Response Team:
- The Information Security Department will be responsible for serving as the incident lead for any Data Breach Incident.
- The Legal Department is responsible for all legal issues associated with a Data Breach Incident, including identifying and complying with the breach notification requirements under the applicable laws.
- The Public Affairs Department is responsible for all internal and external communications and media relations.
- The Human Resources Department will advise on employment, labor and human resources issues and communications to the Beijing Center’s Personnel.
- The affected department(s) will provide the support required to investigate and respond to the Data Breach Incident.
C. Procedures
The general steps in a response include the following:
1. Incident Categorization
The Response Team shall categorize a Data Breach Incident based on the severity of the incident, and take appropriate response actions.
2. Response and Recovery
The Response Team may call upon any necessary additional departments and resources required to carry out the investigation and remediation of a Data Breach Incident. The members of the Response Team will include representatives of the owners of the affected data and any other units responsible for the businesses and information resources involved.
The (expanded) Response Team will be responsible for leading and overseeing the investigation and remediation of the Data Breach Incident. The Information Security Department must take immediate steps to secure the system that may have been compromised and preserve it without change, and investigate the Data Breach Incident and provide other necessary support from a technical perspective. The Legal Department shall advise on all legal issues in connection with the handling of a Data Breach Incident (e.g., the obligation to notify individuals whose personal information is affected and/or governmental authorities), and coordinate with external legal counsel to provide legal support when necessary.
3. Lessons Learned
After a Data Breach Incident has been resolved, the Response Team will convene to discuss the security controls that failed and establish the steps necessary to prevent or limit the risk of the incident recurring. The Response Team shall prepare an incident report, and when necessary, submit the report to the management of the Beijing Center for review and approval.
The Information Security Department may, in consultation with the Legal Department, develop additional internal procedures for handling Data Breach Incidents, including establishing internal reporting procedures and timelines, and issuing report templates or incident response checklists.
D. Contact Information
Information Security Department
Email: [email protected]
Telephone: 86-010-82483887-800
IV. Definitions
“Beijing Center” means Beijing Columbia International Consulting Center Ltd.
“Data Breach Incident” means any actual or suspected breach of personal information, data security or cyber security, including without limitation any unauthorized access to, leakage of, tampering with or loss of personal information or other data, as well as system bugs, computer viruses, networks attacks, network intrusions and other security vulnerabilities, risks and incidents.
“Personnel” means all directors, managers, officers, agents, representatives and employees of the Beijing Center.
“Response Team” has the meaning given to it in Section B, Part III above.