Environmental, Social and Governance

Information Security Management Policy

2025/10/22 15:40Publisher:Onewo

Onewo Inc.

Information Security Management Policy 

Version: V1.0

 

All information security policies of Onewo Inc. are publicly released in the Sustainable Development Policy section of the company's official website. We are committed to continuously improving the information security system, ensuring the integrity and protection of data, monitoring and responding to information security threats, clarifying the personal responsibilities of all employees for information security, and setting information security requirements for third-party suppliers.

 

1. Purpose

Onewo Inc. attaches great importance to information security and privacy protection, and strictly complies with relevant laws and regulations, including the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China. We have established an information security and privacy protection management system, and have issued and implemented a series of policies and systems such as the Vanke Property & Service Information Security Management Measures, the Application Security Management System, and the Personal Information Compliance Management System. In accordance with business needs and the latest regulatory requirements, we continuously update information security measures and systems on an annual basis.

 

2. Governance Structure

The Chief Information Security Officer (CISO) is a member of the company's management team, responsible for overseeing and guiding information security and privacy protection work. The CISO is tasked with formulating and maintaining the company's information security vision, strategy, and plans to protect company information assets and customer information.

The information security management organization of Onewo Inc. consists of four levels, namely the Technology Committee, the Information Security Functional Department, information security representatives of various business departments, and employees of various business departments. This ensures that the information security responsibility mechanism is implemented to all employees of the company, and the company will respond promptly in the event of an information security incident.

 

3. Scope of Application

With reference to the ISO27001 standard evaluation system, Onewo Inc. has issued a series of internal information security management systems, which are divided into Level-1 Documents (Security Strategies and Management Guidelines) and Level-2 Documents (Systems and Specifications). The scope covers all employees of Onewo Inc. and other service personnel (including part-time and outsourced employees), as well as all business activities of the company and its subsidiaries. Meanwhile, it also applies to our suppliers and partners.

 

The information security management systems of Onewo Inc. clearly specify the information security responsibilities and obligations of all employees and external third parties, so as to ensure the implementation of the responsibility mechanism. The information security responsibilities are specified in the Employee Handbook of Onewo Inc., and all employees are required to sign the Information Security Responsibility Letter. Contracts and service agreements between Onewo Inc. and suppliers include clear information security clauses, as well as data protection and confidentiality requirements.

 

4. Technical Measures

Onewo Inc. implements comprehensive management measures and a multi-layered defense-in-depth security technology system to provide security protection mechanisms for the company's information systems and data. This enables real-time monitoring and response to various information security threats while preventing data assets and sensitive information from being tampered with, leaked, or lost, ensuring their integrity. Specific technical measures include:

·        Personnel Account Management: The account management of various application systems is connected to the company's unified account management platform to implement the security management requirements for user accounts; all account applications must complete the approval process in the work approval procedure, which shall be implemented by operation and maintenance personnel, with records kept for audit purposes; when an employee leaves the company, their account will be deactivated in the system in a timely manner.

·        Endpoint Security: Through endpoint detection and response (EDR), it provides prevention, detection and response to various security threats (such as viruses, malware, ransomware, etc.), enhances the security of endpoints within the organization, and protects data assets and sensitive information.

·        Host Security: By virtue of security functions including asset inventory, risk detection, intrusion detection, memory backdoor detection and baseline compliance inspection, it fully identifies and manages information assets in hosts, monitors risks in hosts in real time, blocks illegal intrusion behaviors, and reduces major security risks faced by current servers.

·        Application Security: A Web Application Firewall (WAF) is used to provide application-layer attack traffic detection and interception for application systems released on the Internet, such as common OWASP-TOP10 vulnerability attacks including SQL injection, XSS (Cross-Site Scripting) and CSRF (Cross-Site Request Forgery). Meanwhile, it provides application-layer access control.

·        Network Security: Through a cloud firewall, it conducts access control (including rule priority management) and intrusion prevention for north-south traffic and east-west traffic, and provides functions such as log auditing (rule hit logs, operation logs), so as to realize network security protection and management of cloud-based assets.

 

5. Certification and Audit

In 2025, Onewo Inc. has passed the audits of the Information Security Management System (ISO27001) and the Privacy Protection Management System (ISO27701) conducted by external institutions (see Appendix 2 for details).

 

6. Policy Review and Revision

This policy has been reviewed and approved by the Executive Management and reported to the Board of Directors. Based on changes in national laws and regulations, the actual operation of the company, and the results of performance evaluation, Onewo’s Data and Information Technology Center and ESG Office will initiate an update review by April 20th each year, and complete the update and release of this policy by June 30th to ensure its continuous effectiveness and applicability.

 

 

 

 

Onewo Inc.

ESG Office

Data and Information Technology Center

October 20th, 2025

 


 

Appendix 1: Onewo Inc.Information Security Work System

Onewo Inc.

Information Security Work System

 

1. Business Continuity Plan (BCP) Related to Information Security

The "Information Security Business Continuity Management Specification" issued by Onewo Inc. defines the information security emergency response and recovery processes for information systems, backend data centers, and key business scenarios. Response plans are developed according to different information security risk scenarios such as network attacks, data facility failures, and cloud service failures. The company utilizes the default backup strategy service provided by the cloud service provider (full backup via snapshot every 7 days) and adopts differentiated backup strategies based on different business systems. The emergency response time is within 24 hours, and disaster recovery tests are conducted annually.

 

2. Information Security Vulnerability Analysis

The Information Security Functional Department of Onewo Inc. is responsible for regularly conducting information security vulnerability analysis, including:

1.       Quarterly security scanning and hardening of operational business systems and servers.

2.       Annual IT infrastructure security baseline configuration checks.

3.       Conducting multiple penetration tests across the company annually.

4.       Conducting one simulated attack drill annually.

5.       Pre-launch security checks for business systems.

 

Additionally, for vulnerability alerts issued by the National Internet Emergency Center (CNCERT or CNCERT/CC), the Information Security Functional Department organizes relevant business departments or product teams for vulnerability analysis. If related vulnerabilities exist, remediation is carried out according to the company's information security management requirements, and fix status is tracked.

 

3. Internal Audit of Information Systems

The Information Security Functional Department conducts an internal information security compliance audit once a year in accordance with the requirements of the ISO27001 standard and the national information system level protection. The audit covers aspects including information security management, policies, access control, vulnerability management and data protection. For the problems identified in the internal audit, the company organizes relevant departments to carry out rectification.

 

4. Independent External Audit of Information Systems

In terms of external audits, the company entrusts a third party to conduct information security audits every year. In 2025, the company passed the National Cybersecurity Level Protection Certification and the independent certification by DNV in accordance with ISO27001.

 

5. Incident Escalation and Reporting Mechanism

The company has established an internal information security incident management mechanism. Security tools are used daily for proactive monitoring of various external security threats. Abnormal security alerts are analyzed and investigated, and identified issues are tracked for remediation. Furthermore, an IT reporting platform and the contact email/phone number of the information security working group are published for all employees, ensuring that staff can promptly report security incidents, suspicious activities, system vulnerabilities, etc. Upon receiving information, the Information Security Functional Department organizes relevant internal departments to collaborate on handling the incident based on its type.

Onewo Inc. actively maintains communication with information security regulatory authorities (e.g., Cyberspace Administration, Communications Administration). Communication with suppliers and partners is maintained according to commercial contract agreements. In the event of a data breach or information security incident, a root cause analysis is conducted for the specific incident, discovered vulnerabilities are promptly fixed, and emergency measures are taken to minimize the impact.

Future preventive measures: Strengthen personnel awareness training and daily security patrols on the management side; improve and upgrade security protection tools on the technical side.

6. Employee Information Security Awareness Training

The company attaches importance to employee information security awareness training. It conducts phishing email tests internally every year and carries out publicity by combining typical information security incidents. An information security awareness exam covering all employees is organized every year, with content including daily account security, password management, phishing email identification, data encryption and other aspects, and all employees are required to pass the exam. Meanwhile, exam content related to customer privacy information protection is added for front-line business departments to implement differentiated arrangements.

 

Onewo Inc. did not experience any data breach incidents during the previous financial reporting period.


 

Appendix 2: Information Security Management System Certification (ISO27001). Achieved date: July 26th, 2024.


Appendix 3: Privacy Information Management System Certification (ISO27701). Achieved date: July 26th, 2024.


Copyright © 2022 Onewo Space-Tech Service Co., Ltd. All Rights Reserved. 粵ICP備15063920號