Development

Information and Data Security
Reciprocal
Partnership

Information and Data Security

VNET is deeply involved in the field of information security. We rely on our solid information security management system, strict data protection system, information security system and risk management procedures and our sound employee information security training programs to continuously improves and strengthens the operation and management capabilities of data centers and cloud service platforms to safeguard customers' information and data.

System construction

VNET constantly strengthens the construction and implementation of the information security management system. Through the Compliance and Information Security Management Regulations, the Information Security Management System Guidelines, the Information Security Risk Management Procedures and other systems, the Group clarifies the information security management responsibilities of each business department, and provides standardized guidance for the daily practice of information security management.

Management structure

VNET has established a Compliance and Information Security Management Committee, which is the highest leading body for the management of compliance and information security. The Compliance and Information Security Working Group under the committee is responsible for daily information security management with the primary goal of ensuring business legality, compliance, security and alignment as well as efficient operations.

We have established a mechanism to identify and manage information security risks, summarized our information assets, carried out risk assessment regularly, and guided the incident handling personnel to make timely emergency response through the emergent/major information security incident response mechanism, in order to minimize the possible adverse impact of the incident. Meanwhile, we have established a smooth communication mechanism with the Ministry of Industry and Information Technology, the Cyberspace Administration, the Ministry of Public Security, other regulatory agencies and their supporting units to timely understand and assess changes in the legal environment and integrate our understanding into targeted management practices.

Certification for Information Security Management System

Our data centers are certified as level 3 by the China Cybersecurity Review Technology and Certification Center (CCRC) for information system security integration service, information security emergency response service, and information security risk assessment service. In addition, we are ISO 27001 certified in our main operating regions.

In terms of cloud service, VNET Blue Cloud passed a range of international and domestic authoritative certifications related to information security and data privacy, including Information Technology Service Management System (ISO 20000), the Public Cloud Personal Information Protection Management System (ISO 27018), Trusted Cloud Services), and etc. Among them, ISO 27018, also known as the "Cloud Privacy Protection Certification", aims to provide a set of codes of practice for cloud providers to protect Personally Identifiable Information (PII) in the public cloud against infringement. VNET Blue Cloud has passed this certification for five consecutive years.

Trusted Cloud Services (TRUCS) certification is an authoritative assessment of the trust system of cloud computing in China. VNET Blue Cloud has been TRUCS-certified since the first batch of certificates was issued in 2014. To date, Blue Cloud has received 11 TRUCS certificates. In 2022, VNET Blue Cloud also passed the Class III network security assessment, covering Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). These achievements mean that we can provide customers with all-around cloud security services, ranging from basic network systems, cloud platforms to cloud applications.

VNET Blue Cloud has passed the SOC4 audit conducted by an independent third-party auditor for three consecutive years and obtained SOC1, SOC2, and SOC3 reports. This demonstrates that the capabilities of Blue Cloud in terms of internal control, security, availability, process integrity and confidentiality have reached the industry's authoritative standards.

Information security management

Physical security is the basis for our information security management. Data centers are designed under national grade-A standards of GB 50174-2017, and meet the Class III physical environment security protection requirements. We pay close attention to the security around data centers and install surveillance facilities inside these data centers as well as at their entrances or exits; place gate machines at the entrances of data centers and office buildings and set access permissions; and require visitors to register and obtain permission before entering our workplaces to protect our equipment and facilities and strengthen access control. On top of this, we provide a higher level of physical security management by incorporating the special needs of customers.

In terms of internal network security, VNET mainly focuses on internal network management and continuously standardizes employee behaviour. We formulated the Regulations on Access Management Systems, the Office Network Security Access Management Regulations, the Remote Access Permission Management Regulations and other regulations to standardize security operations by employees in different working environments. Employees must follow all the regulations on equipment, networks, accounts, IPs and firewalls before they can be granted network access. Data loss prevention (DLP) terminals are installed on all employees' office equipment to manage all programs within the computers and monitor information transfer tools to avoid leakage of important information. In addition, we conduct weekly security audits of sensitive operations on critical information systems.

To ensure external network security, VNET actively monitors and responds to potential network security threats. By deploying information security products, we monitor the Group's office network for viruses and malicious attacks each day; Meanwhile, we perform vulnerability scans and penetration tests every month to evaluate the integrity of the existing network security system and make improvements. We have developed special defence solutions to address various types of network attacks. For example, we apply high-availability unified threat management (UTM), web application firewall (WAF), traffic cleaning, etc. to prevent malicious and unauthorized intrusions and carry out network boundary defence; and perform network detection and response (NDR), endpoint detection and response (EDR), log audit, etc. to improve the ability to detect and discover advanced persistent threats (APTs) and post-exploitation and conduct in-depth defence.

Privacy and data security protection

VNET has utilized world-leading encryption methods, protocols and algorithms to ensure that customer data is securely transmitted and confidentially stored within our infrastructure. We have applied a variety of security protection technologies and methods to fully secure the customer cloud computing environment. While discussing the choices of technology types with our customers in the early phase of a project, we conducted research on customers' requirements for information security to customize cloud platform information security solutions, including the selection of cloud platforms and security components as well as suggestions on security strategies and network isolation.

We have formulated a privacy protection policy to ensure the security of personal data and privacy. In the process of data collection, we adhere to the principle of "minimization"; we provide employees and customers with the permission to authorize access to, manage and delete their personal information as well as inform them of the ways to use data to ensure their right to know and make decisions; in addition, we have established a comprehensive data protection process to maximize the security of data.

Personnel training

We highly value fostering an information security culture and awareness among our employees and offering targeted training covering multiple dimensions such as information security regulations, concepts, systems and technologies based on diﬀerent risks in diﬀerent positions that the employees may face. The Group organizes various forms of information security training for employees, including data and privacy protection-related training; adds information security modules to the induction training program for recruits; and conducts special training on laws and regulations related to information security from time to time.

In 2022, we engaged security experts to explain the 2.0 requirements of Class III information security protection to all employees to enhance their knowledge of information security. 100% of our employees have received training in information security.

Reciprocal Partnership

VNET cooperates with diverse business partners and is committed to establishing to mutually beneficial cooperation with suppliers. We strictly implement the responsible procurement principle, actively identify, prevent and control potential risks in all aspects of the supply chain. We spare no effort to help the entire industry chain to jointly create an open and mutually beneficial cooperation environment.

Closed-loop procurement management

VNET strictly complies with national laws and regulations and relevant regulations of the industry. Through developing internal regulations such as Regulations on Procurement Management, Rules on Supplier Management, Rules on Procurement Personnel Behavior, we clearly define the responsibilities for each step of the procurement process, standardizes the behavior of procurement personnel, strictly controls the quality of suppliers, and implements closed-loop procurement management.

In 2022, VNET further optimized its supplier access management and improved supplier management efficiency by distinguishing between "standard access" and "express access". For substandard suppliers, we improved the classification mechanism and classified them into rectifying suppliers, unqualified suppliers, suspended cooperation suppliers and blacklisted suppliers, helping substandard suppliers solve problems in a targeted manner.

Meanwhile, we have also built a supplier relationship management (SRM) system. The SRM system allows us to perform online supplier sourcing, supplier certification and supplier life cycle management. These functions can be performed while enhancing the visualization and traceability of the procurement process.

As of the end of the reporting period, we had a total of 2,623 suppliers recorded in the database, including 5 from Hong Kong, Macau and Taiwan and 5 from other countries and regions.

Sustainable supply chain

Committed to building a sustainable supply system, VNET identifies, prevents and controls the potential risks in all aspects of procurement. The comprehensive performance of suppliers is assessed from multiple perspectives based on a full-chain model integrating supplier qualification review, on-site inspection, internal assessment and testing, shortlist announcement and final selection.

We aim to safeguard procurement needs and ensure obligation fulfillment while actively urging our suppliers to improve sustainability. In each work process of the supplier management, we incorporate considerations on their ESG risks and focus on their performance in environmental protection and low carbon, information security, labor rights and interests, occupational health and safety, as well as honesty and integrity.