Information Security and Data Privacy
VNET is deeply involved in the field of information security. We rely on our solid information security management system, strict data protection system, information security system and risk management procedures and our sound employee information security training programs to continuously improves and strengthens the operation and management capabilities of data centers and cloud service platforms to safeguard customers' information and data.
System construction
VNET constantly enhances the construction and implementation of the information security management system. Through the Compliance and Information Security Management Regulations, the Information Security Management System Guidelines, the Information Security Risk Management Procedures, and other systems, the Group clarifies the information security management responsibilities of each business department, and provides standardized guidance for the daily practice of information security management. According to the Compliance and Information Security Management Regulations, all employees, including managers, must adhere to their relevant obligations. We have established a clear escalation process for employees to report concerns, issues, and defects when suspicious situations are discovered.
We have established a sound information security governance structure to oversee and execute information security work. The Audit Committee on behalf of the Board shall maintain oversight of the disclosure related to cybersecurity matters in the periodic reports of the Group. The Group’s information security program is overseen by our Chief Information Security Officer (CISO), with collaboration across businesses and functions and input from both management and the Board of Directors. The CISO is responsible for establishing and executing the Group’s information security strategy, the primary goal of which is to protect Group information and technology assets. This includes monitoring, reporting, managing and remediating cyber threats.
We have obtained Level 1 disaster backup and recovery certification and Level 2 security operation and maintenance certifications issued by the China Cybersecurity Review, Certification and Market Regulation Big Data Center. Our data centers also have obtained Level 3 information system security integration certification, Level 3 information security emergency response certification, and Level 3 information security risk assessment certification. We regularly conduct classified protection (Class III) for data centers and application systems. This allows us to identify security issues in information systems, provide an overall solution for information security, and ensure systems operate stably. At the same time, we have conducted SOC2 Type II audits and obtained independent evaluation reports issued by professional third-party accounting firms in accordance with the auditing standards of the American Institute of Certified Public Accountants (AICPA) regarding the appropriateness of control design and the effectiveness of operation related to the security and availability of the Internet data center service system in a certain data center. At present, a number of sites involved in our main business have been certified to Information Technology Service Management Systems (ISO/IEC 20000) and Information Security Management Systems (ISO/IEC 27001).
In terms of cloud service, 21Vianet Blue Cloud has passed a range of authoritative certifications related to information security and data privacy. These include Information Technology Service Management Systems (ISO/IEC 20000), Information Security Management Systems (ISO/IEC 27001), the first international standard focused on personal data protection in public cloud (ISO/IEC 27018), Trusted Cloud Services (TCS) Evaluation, Information Security Technology Classified Protection of Cybersecurity (DJCP) and rate as Level 3, etc., providing all-round cloud security services for customers.
Supporting measures
Following the Group's information security management system, we have formulated supporting measures and emergency response processes in terms of physical security, as well as internal and external cybersecurity. This ensures the promptness and efficacy of risk control measures for data security.
Physical security
Data centers are constructed in compliance with the national Grade-A standards outlined in the Code for Design of Data Center (GB 50174-2017). Meanwhile, ensuring they meet physical environmental security requirements specified in the Class III Evaluation requirement for classified protection of cybersecurity.
We place gate machines at the entrances of data centers and office buildings and set access permissions for the access of personnel. We also install surveillance facilities inside data centers at entrances and exits.
Internal cybersecurity
We have formulated the Information Security Management Strategy, the Office Network Security Access Management Regulations, the Password Management System, the Remote Access Permission Management Regulations, and other regulations to standardize internal network management and employee behaviors.
Employees must follow all the regulations on equipment, networks, accounts, IP addresses, and firewalls before they can be granted network access. Data loss prevention (DLP) terminals are installed on all employees' office devices to manage all software on computers and monitor information transfer tools to avoid important information being leaked.
We conduct weekly security audits of sensitive operations on critical information systems.
External cybersecurity
To ensure external cybersecurity, we monitor the Group's office network for viruses and malicious attacks every day by deploying information security products. We perform vulnerability scans and penetration tests monthly and quarterly to evaluate the integrity of existing cybersecurity systems and make improvements. Meanwhile, we conduct regular business compliance audits, as well as internal and external IT audits.
We have developed special defense solutions to address various types of network attacks. For example, we carry out network boundary defense measures using high-availability unified threat management (UTM), web application firewall (WAF), traffic cleaning, etc. to prevent malicious and unauthorized intrusions. Additionally, we enhance our detection and discovery capabilities for advanced persistent threats (APT) and post-exploitation stages through methods such as Network Detection and Response (NDR), Endpoint Detection and Response (EDR), and log auditing, enabling us to conduct comprehensive defense measures.
Data and privacy protection
VNET values data and privacy protection. We abide by laws and regulations such as the Data Security Law of the People's Republic of China and the Personal Information Protection Law of the People's Republic of China. We have also formulated the group-wide Privacy Statement, which explains the type and nature of the information that may be collected, how it will be used, consent processes, and how it will be retained, stored, and protected.
We integrate data protection measures into the development of products and services, and continuously improve such measures. For example, we take active and passive protection measures such as access controls, vulnerability scans, firewalls, data segregation, and transmission encryption to provide adequate protection for the processing of personal information.
Capacity building
VNET places significant emphasis on cultivating a culture of information security and awareness among our employees. We offer targeted training covering multiple dimensions such as information security regulations, systems, concepts, and technologies based on different risks in different positions that the employees may face. We add information security modules to the induction training program for recruit. In 2023, we engaged external security experts to provide specialized Information Security Management Systems (ISO/IEC 27001) training on information security, cybersecurity, and privacy protection for the Group's major business departments to enhance our overall information security management capabilities. By the end of 2023, 100% of our employees have received training in information security.
Promoting Win-Win Cooperation
VNET cannot achieve stable development without support from its partners. We build mutually beneficial cooperation with our suppliers to create a green and sustainable supply chain.
Closed-loop procurement management
VNET strictly complies with national laws and regulations and relevant regulations of the industry. Through developing internal regulations such as Regulations on Procurement Management, Rules on Supplier Management, Rules on Procurement Personnel Behavior, we clearly define the responsibilities for each step of the procurement process, standardizes the behavior of procurement personnel, strictly controls the quality of suppliers, and implements closed-loop procurement management. In 2023, the Group has optimized Supplier Relationship Management (SRM) system, achieving online supplier sourcing, supplier certification and life cycle management for suppliers, while strengthening the visualization and traceability of the procurement process.
During the supplier access stage, we objectively and fairly evaluate suppliers through a scientific assessment system, selecting qualified suppliers to enter the pool. We optimize the access process by distinguishing between "standard access" and "express access", further enhancing the efficiency of supplier management. For existing suppliers, we regularly conduct reviews and conduct comprehensive assessments on their service awareness, product quality, contract performance capability and other aspects to identify high-quality suppliers. For substandard suppliers, we classified them into rectifying suppliers, unqualified suppliers, suspended cooperation suppliers and blacklisted suppliers, helping substandard suppliers solve problems in a targeted manner.
By the end of 2023, we had a total of 2,854 suppliers recorded in the database, including 5 from Hong Kong, Macau and Taiwan regions, and 5 from other countries and regions.
Sustainable supply chains
Committed to building a sustainable supply system, VNET identifies, prevents and controls the potential risks in procurement process. The comprehensive performance of suppliers is assessed from multiple perspectives based on a full-chain model integrating supplier qualification review, on-site inspection, internal assessment and testing, shortlist announcement and final selection.
We evaluate the performance of suppliers during the period of cooperation. We aim to safeguard procurement needs and ensure obligation fulfillment while actively urging our suppliers to improve sustainability. In the work process of the supplier management, we incorporate considerations on their ESG risks and focus on their performance in environmental protection and low carbon, information security and privacy protection, labor rights and interests, occupational health and safety, as well as honesty and integrity.