Sinotruk (Hong Kong) Limited
Information Security Policy
1. Purpose
To strengthen the information security management system of Sinotruk Group , clarify the information security responsibilities of all personnel, protect data integrity, prevent information security threats, and ensure the secure and controllable management of Group information assets (including business data, confidential information, intellectual property, and IT resources), thereby supporting the stable operation and compliant development of Group businesses, this policy is hereby formulated.
2. Scope of Application
This policy applies to all employees of Sinotruk Group and all 'business partners' engaging in business activities with the Group (including but not limited to customers, suppliers, agents, distributors, service providers, third-party intermediaries, etc.).
3. Core Commitments and Requirements
3.1 Continuous Improvement of the Information Security System
Sinotruk Group commits to continuously optimizing its information security management system through regular assessments, risk monitoring, and technological upgrades, ensuring its alignment with Group business development, regulatory requirements, and evolving technological environments, thereby effectively addressing emerging information security challenges.
3.2 Ensuring Data Integrity and Protection
The Group strictly protects the integrity of all business data (including financial, customer, R&D, operational, and other data) through technical and management measures such as encrypted storage, access control, and backup recovery, preventing data tampering, loss, or damage, and ensuring the accuracy, availability, and security of data throughout its lifecycle.
3.3 Monitoring and Responding to Information Security Threats
Sinotruk Group has established an information security monitoring mechanism covering networks, systems, terminals, and employee behaviors to proactively identify potential threats (such as cyberattacks, data breaches, malware, etc.). Through emergency response plans, incident handling procedures, and regular drills, the Group ensures rapid mitigation of security incidents, minimizes risk impacts, and safeguards business continuity.
3.4 Clarifying Information Security Responsibilities for All Employees
All employees of the Group (including management) are the first line of responsibility for information security. They must strictly comply with Group information security policies and operational procedures, proactively identify and report potential risks, and refrain from any non-compliant behaviors (such as disclosing confidential information, using weak passwords, or connecting unauthorized devices). Management must lead by example to foster an information security culture and ensure accountability at all levels.
3.5 Establishing Information Security Requirements for Third Parties (e.g., Suppliers)
Sinotruk Group requires all third-party partners (including suppliers and service providers) to adhere to the same information security standards during collaboration. Contractual terms will explicitly define their obligations for data protection, access permission restrictions, and accountability for violations. Prior to collaboration, third parties will undergo information security capability assessments, and ongoing supervision will be conducted during partnerships to ensure their handling of Group information complies with Group security requirements, thereby mitigating supply chain security risks.
3.6 Information Security Supervision and Management Responsibility
Sinotruk Group has established a Network Security and Informatization Leadership Group chaired by the Chairman, serving as the highest decision-making body for the group's information security supervision and management. This group is fully responsible for the strategic planning, major decision-making, and supervision of the implementation of information security work.
4. Supporting Management Requirements
4.1 Employee Behavioral Standards
All employees of the Group must strictly protect confidential information (such as customer data and R&D materials), prohibit unauthorized external transmission, retention, or use, and lock their screens promptly when leaving their workstations. When using Group IT devices, employees must set strong passwords and update them regularly, and enable encrypted communication (e.g., VPN) when processing sensitive information over public networks. Any suspicious emails, system vulnerabilities, or other anomalies must be immediately reported to the Information Security Department or direct supervisors.
4.2 Supervision and Improvement Mechanisms
The Group conducts regular information security audits and incident reviews to identify vulnerabilities and root causes, continuously optimizing protective measures. Annual information security training for all employees and specialized education for key positions are implemented to enhance risk awareness and compliance capabilities across the organization.
鲁公网安备37010202000616号
