Modern Dairy Information Security Management Policy

1. Purpose

To safeguard company data security, standardize company data management, and improve the company’s data security management system, ensuring data integrity, availability, and confidentiality, and preventing risks such as data leakage, tampering, and misuse, this “Modern Dairy Information Security Management Policy” (hereinafter referred to as “this Policy”) is formulated in accordance with data security laws, regulations, and standards such as the “Cybersecurity Law of the People’s Republic of China,” the “Data Security Law of the People’s Republic of China,” and the “Personal Information Protection Law.”

2. Terms and Definitions

2.1 Data

Broadly, data refers to any record of information, whether electronic or otherwise. Data as referred to in this Policy means data generated in the company’s business systems and data products, including but not limited to company status, product information, operational data, research results, etc., and applies to all data security management aspects throughout the entire lifecycle of data collection, transmission, use, storage, sharing, archiving/destruction.

2.2 Data Security

Data security refers to a series of measures and technologies designed to protect data from unauthorized access, use, disclosure, destruction, or alteration. These measures aim to ensure the confidentiality, integrity, and availability of data, thereby maintaining the lawful use and continuous secure state of data.

3. Our Commitment

Modern Dairy commits to:

• We regularly evaluate and update our information security management system to adapt to evolving security threats and technological developments, ensuring its effectiveness and adaptability.
• We take all necessary measures to protect all company data from unauthorized access, use, disclosure, destruction, or alteration, ensuring the accuracy, integrity, and availability of data.
• We establish effective monitoring mechanisms to promptly detect, assess, and respond to various information security threats and incidents, minimizing potential losses.
• All Modern Dairy employees are responsible for protecting the company’s information assets and must comply with this Policy and related rules and regulations.
• We require clear information security requirements for third parties collaborating with the company (including suppliers) and incorporate them into contract terms, ensuring their compliance with the same information security standards as the company.

4. Emergency Response and Incident Handling

Modern Dairy has developed detailed data security emergency plans to ensure a rapid and effective response in the event of a data security incident, minimizing losses and restoring normal business operations. These plans clearly define the emergency response processes and steps, including incident discovery, reporting, assessment, handling, and recovery. The plans are regularly updated and adjusted and optimized based on actual circumstances.

4.1 Emergency Response Team: A dedicated emergency response team is established, responsible for coordination, command, and handling in the event of a data security incident. Team members possess relevant technical capabilities and professional knowledge to quickly respond to various security threats and attacks.

4.2 Incident Assessment and Handling: The emergency response team conducts a rapid assessment of reported security incidents to determine the nature, impact, and scope of the incident. Based on the assessment results, appropriate handling measures are taken, including isolating affected systems, blocking attack behaviors, restoring damaged data, etc. During the handling process, the effectiveness and timeliness of the measures are ensured to prevent the incident from further expanding and worsening.

4.3 Communication and Collaboration: During the emergency response process, the emergency response team maintains close communication and collaboration with other relevant departments and personnel to ensure timely transmission and sharing of information. Actively maintain contact with external partners and regulatory agencies to jointly address data security threats and challenges.

4.4 Post-Incident Review and Improvement: After the emergency response, a summary and review of the entire incident are conducted, analyzing the causes, lessons learned, and improvement measures. By summarizing experiences and lessons, the emergency plans and handling processes are continuously improved, enhancing data security emergency response capabilities.

5. Information Security Vulnerability Analysis

Modern Dairy has established a multi-layered, continuous vulnerability analysis mechanism, aimed at systematically discovering, assessing, and repairing potential security weaknesses in its information technology infrastructure and information security management system.

5.1 Vulnerability Identification and Assessment Methods

We employ the following main methods and tools for information security vulnerability analysis:

• Automated Vulnerability Scanning: Regularly use professional vulnerability scanning tools to conduct comprehensive scans of all networked systems, network devices, and web applications within the company to discover known vulnerabilities and configuration errors. This includes network/system vulnerability scanning and web application vulnerability scanning.
• 0-day Vulnerability Protection: Timely discover and address 0-day vulnerability threats through APT unknown threat detection facilities and 0-day vulnerability intelligence provided by professional security organizations.
• Manual Penetration Testing: At least once a year, commission independent third-party security organizations to conduct simulated real-world attack penetration tests on critical business systems and network boundaries to discover logical vulnerabilities and business process vulnerabilities that are difficult for automated tools to identify.

5.2 Vulnerability Management Process

We have established a comprehensive vulnerability management process to ensure that vulnerabilities are effectively controlled throughout their entire lifecycle from discovery to remediation:

• Discovery and Validation: After discovering vulnerabilities through the above methods, validate them and assess their severity, prioritizing risks.
• Remediation and Tracking: Assign vulnerabilities to the appropriate teams for remediation and track remediation progress.
• Retesting and Verification: After remediation, retest to confirm that the vulnerability has been successfully closed.
• Summary and Improvement: Incorporate lessons learned into the knowledge base and continuously improve security policies and processes.

6. Independent External Audit

External auditors conduct an annual audit of the company’s IT system infrastructure and/or information security management system. In 2024, the company’s external auditor audited the company’s main IT systems, including the Kingdee financial system, SAP system, Yunyangniu system, and integrated system. This audit referenced the relevant principles of Hong Kong Auditing Standards (HKSA).

7. Audit Results and Improvements

After the internal audit, a detailed audit report will be formed, including:

• Audit Findings: Identified non-conformities, vulnerabilities, or opportunities for improvement.
• Risk Assessment: Risk assessment of the identified issues.
• Improvement Recommendations: Specific, actionable improvement measures and responsible departments.

8. Reporting Procedures

Modern Dairy deeply understands that all employees are the first line of defense for information security. To ensure that information security incidents, vulnerabilities, or suspicious activities can be promptly discovered and effectively handled, we have established a clear and convenient employee reporting process and encourage all employees to actively fulfill their information security responsibilities.

8.1 Reporting Scope All employees, including full-time employees and third-party personnel with business dealings with the company (e.g., supplier on-site personnel, contractors), have the responsibility and obligation to report the following types of information:

• Security Incidents: Any event that may lead to data leakage, system disruption, unauthorized access, or data tampering, such as: receiving suspicious phishing emails or SMS messages; discovering abnormal system behavior or performance degradation; abnormal logins or activities on personal or colleague accounts; loss or theft of company equipment (e.g., laptops, USB drives); discovering unauthorized devices connected to the company network.
• Security Vulnerabilities: Any defect or weakness that could be exploited to harm company information assets, such as: discovering easily exploitable vulnerabilities in systems or applications; discovering weak passwords, default passwords, or insecure configurations; discovering sensitive information being transmitted or stored through insecure channels.
• Suspicious Activities: Any behavior that is uncertain whether it constitutes a security threat but feels abnormal or deviates from routine, such as: strangers attempting to enter restricted areas; discovering unknown files or programs; colleagues or external personnel exhibiting abnormal information collection behavior.

8.2 Reporting Process and Channels

Upon discovering a potential security incident, vulnerability, or suspicious activity, employees should immediately take the following steps to report it:

1. Preliminary Isolation (if applicable): Without compromising personal safety or causing greater damage, attempt to preliminarily isolate the affected equipment or network connection (e.g., disconnect network cables, but never shut down the device to avoid losing evidence).
2. Immediate Reporting:

• Reporting Platform: Submit online through the company’s designated internal IT service desk (ticketing system).

• Direct Contact: If the above channels are unavailable, directly contact the department manager or information security engineer.

  Information Technology Department:

  • Email: lcl@modernfarming.cn
  • Phone: 18955523626

3. Provide Detailed Information: When reporting, employees should provide as detailed and accurate information as possible, including: a brief description of the incident/vulnerability/suspicious activity; time and location of occurrence; involved systems, equipment, or personnel; any preliminary measures taken; relevant evidence (e.g., screenshots, error messages, log snippets, etc.).
4. Cooperate with Investigation: After reporting, employees should actively cooperate with the information security emergency response team’s investigation work, provide required information, and follow the team’s instructions.

8.3 Follow-up Handling and Feedback

• Team Response: The information security emergency response team will immediately assess, classify, and respond upon receiving a report.
• Confidentiality: All reported information will be kept strictly confidential and used only for incident investigation and handling.
• Encouragement and Incentives: The company encourages employees to actively report security issues. Employees who timely discover and report significant security risks will be given appropriate recognition or rewards.

9. Information Security Awareness Training

Modern Dairy is committed to enhancing the security literacy of all employees through continuous, comprehensive information security awareness training and promotion, making them active participants and guardians of information security. The Information Department is responsible for organizing and promoting company data security training and awareness campaigns, with the Compliance Management Department assisting in compliance promotion for data security.

9.1 Training Content and Formats Training content covers: company policies, data protection, cybersecurity fundamentals, email security, mobile device security, social engineering prevention, incident reporting procedures, and compliance requirements. Training targets all employees and third-party personnel. Training formats are diverse, including:

• New Employee Onboarding Training: All new employees must complete basic information security training.
• Regular Online/Offline Training: Provide online courses, videos, and specialized lectures.
• Security Awareness Campaigns: Continuously reinforce awareness through posters, internal emails, etc.
• Simulated Phishing Email Tests: Conduct regular tests to assess employees’ identification capabilities.

9.2 Division of Responsibilities and Continuous Improvement

The Information Department is responsible for organizing and implementing training plans, while the Compliance Management Department focuses on compliance promotion. We evaluate training effectiveness through post-training tests and simulated exercises and continuously improve training content and formats based on evaluation results to ensure their effectiveness and adaptability.

10. Violation Incidents

Modern Dairy is committed to transparent management. In 2024, the company had 0 violation incidents.

11. Policy Review and Update

This Policy will be reviewed at least once a year, or when significant organizational, technological, or legal and regulatory changes occur, to ensure its continuous applicability and effectiveness.