国际仲裁网络安全议定书（2020）（中）_国际争端预防和解决研究院

Schedule A

Baseline Security Measures

附表A

基准安全措施

Schedule A supplements Principle 2 with a non-exhaustive checklist of general cybersecurity measures that all custodians of arbitration-related information should consider implementing in their day-to-day use of technology in arbitration-related activities, bearing in mind that:

附表A对原则2进行了补充，列出了通用网络安全措施的非详尽清单，所有与仲裁有关的信息的保管人在与仲裁有关的活动中日常使用技术时，都应考虑实施这些清单，并牢记：

the schedule highlights various security considerations and it may not be necessary to adopt all of the measures to achieve a reasonable level of protection;

该附表突出了各种安全考虑因素，可能不必为了实现合理保护而采取全部措施；

practical and detailed guidance must be balanced with the reality that cybersecurity threats and mitigation strategies evolve rapidly, such that other practices may emerge and some of the security measures identified here may be superseded or become outdated over time; and

实用和详细的指导必须与网络安全威胁和消减策略迅速发展的现实相平衡，以便随着时间的推移可能出现其他实例，且此处确定的某些安全措施可能会被取代或过时；和

these measures should be considered in conjunction with any systems, processes, policies, and procedures already in place, and, where appropriate, in consultation with information technology and/or information security professionals, either within one’s organization or externally.

这些措施应与已经建立的任何系统、流程、政策和程序一起考虑，并酌情与组织内部或外部的信息技术和/或信息安全专业人员协商。

This schedule is intended to offer a mixture of readily accessible and useful information that everyone involved in international arbitrations should consider, regardless of their practice setting or infrastructure, together with guidance that will be most helpful for those who work on their own or with minimal support and who largely manage their own digital architecture. Though it is beyond the scope of the Protocol to recommend specific products or vendors, links to resources that provide technology reviews and recommendations are provided in Schedule E.

该附表旨在提供各种易于使用和有用的信息，参与国际仲裁的每个人都应考虑这些信息，不论其业务背景或基础设施如何，对那些独自工作或获得最少支持的人，他们主要管理自己的数字架构，可作为指南给予他们最大的帮助。尽管推荐特定产品或供应商不在本议定书的范围内，但附表E中提供了技术评论和建议的资源链接。

Furthermore, although the guidance set forth here is informed by well- established, detailed technical standards for information security, most individual custodians of arbitration data will not have oversight or responsibility for full deployment of such standards (particularly in organizational settings) and do not require the level of detail or technical matter that is contained in those standards.

此外，尽管此处阐述的指南是基于完善的信息安全详细技术标准提供的信息，但是大多数仲裁数据的个人保管人都不会监督或完全负责此类标准的部署（尤其是在组织设置中），且不会要求这些标准中包含的详细程度或技术问题。

Baseline Security Measures Checklist

基准安全措施清单

Knowledge and Education 知识与教育

Keep abreast of security threats and solutions

及时了解安全威胁和解决方案

Consider professional obligations relating to cybersecurity

考虑与网络安全有关的职业责任

Consider industry standards and governmental regulations

考虑行业标准和政府法规

Asset Management 资产管理

Know assets and infrastructure

了解资产和基础设施

Identify sensitive data and take steps to minimize and protect it

识别敏感数据和采取措施将其最小化并保护

Avoid unnecessary multiple copies of documents

避免不必要的多份文件副本

Establish document retention and destruction practices

建立文件保存和销毁惯例

Enable remote location tracking and data wiping functions

启用远程位置跟踪和数据清除功能

Minimize access to sensitive data while traveling

减少旅行时对敏感数据的访问

Back-updata

备份数据

Access Controls 访问控制

Consider access control policies

考虑访问控制政策

Establish strong passwords or biometric controls

建立强力密码或生物识别控制

Consider password-change intervals

考虑密码更改间隔

Consider password managers

考虑密码管理员

Use multi-factor authentication where available

使用可行的多重身份认证

Set up separate administrator and user accounts

管理员和用户账号分别设置

Periodically review user privileges

定期查看用户权限

Encryption 加密

Encrypt data in transit

数据传输加密

Consider file-level encryption

考虑文件级别加密

Enable full-disk encryption

全硬盘加密

Consider encrypting data in the cloud

考虑云端数据加密

Communications Security通讯安全

Be skeptical of attachments and links

对附件和链接存疑

Consider secure share-file services in lieu of e-mail

考虑与电子邮件有关的文件分享设备安全

Avoid public networks or, if necessary, mitigate risks of use

避免公共网络，或必要的话降低使用风险

Physical and Environmental Security 实体和环境安全

Consider the risks of portable storage media Lock devices

考虑便携式存储介质锁定设备

Secure paper files

保护纸质文件

Do not leave documents unattended

勿致文件无人看管

Guard against “visual hacking”

防范“可视黑客行为”

Operations Security 操作安全

Use professional, commercial products and tools

使用专业的商业产品和工具

Donot share devices and accounts

不要共享设备和用户

Guard digital perimeters

保护数据外围

Promptly install software updates and patches

迅速安装软件更新和补丁

Monitor for vulnerabilities

监控漏洞

Information Security Incident Response

信息安全事故响应

I. Knowledge and Education 知识和教育

Keep abreast of security threats and solutions.Effective security is an ongoing process that requires continuous attention to evolving risks and technology. For timely information about current security vulnerabilities and best practices, consider subscribing to one or more e-mail alerts or newsletters. Such alerts are free and readily available, for example, from the cybersecurity and data privacy practice groups of major law firms.

及时了解安全威胁和解决方案。建立有效安全性是一个持续的过程，需要持续关注不断变化的风险和技术。有关当前安全漏洞和最佳做法的及时信息，请考虑订阅一个或多个电子邮件警报或新闻通讯。此类警报是免费的，并且可以从大型律师事务所的网络安全和数据私人执业小组免费获得。

Cybersecurity training may be tailored to one’s practice environment; for example, bar associations frequently offer training that is directed to solo practitioners and small law firms. Likewise, employee training and awareness at all levels of an organization is an important part of cybersecurity defense, to raise cyber-education across the board and to create a culture of security in one’s organization.

网络安全培训可以针对自己的实践环境进行定制；例如，律师协会经常提供针对个人从业人员和小型律师事务所的培训。同样，组织中各级别的员工培训与意识也是网络安全防御的重要组成部分，可以提高全体的网络教育水平，并在组织中建立安全文化。

Consider professional obligations relating to cybersecurity. Increasingly, achieving basic competence in technology, including familiarity with measures to protect the confidentiality, integrity, and availability of digital information, is viewed as an element of professional competence; for example, in lawyer and arbitrator ethical codes. Cybersecurity obligations may arise from other professional duties as well, such as from a duty of confidentiality. As a result, in many jurisdictions, significant cybersecurity guidance may be found in lawyer ethics opinions and on bar association websites. A sample of leading legal references and resources is contained in Schedule E.

考虑与网络安全有关的职业义务。越来越多地实现技术的基本技能，包括熟悉保护数字信息的机密性、完整性和可用性的措施，被视为专业能力的要素；例如，律师和仲裁员的道德守则。网络安全义务也可能源自其他职责，例如出于保密义务。结果，在许多司法管辖区，律师职业道德意见和律师协会网站上都可以找到重要的网络安全指南。附表E载有主要法律参考资料和资源的样本。

Consider industry standards and governmental regulations. There are various organizations in the information security field that have developed, and regularly update, comprehensive technical standards for cybersecurity practices and policies. Links to some of the best known standards internationally are provided in Schedule E, as are links to more accessible, simplified resources that are particularly helpful for smaller organizations and individual practitioners, such as the ICC Cyber Security Guide for Business.

考虑行业标准和政府法规。信息安全领域中有许多组织已经开发并定期更新有关网络安全实践和策略的全面技术标准。附表E中提供了一些国际上最知名标准的链接，还有一些更易于访问的简化资源的链接，这些链接对于较小的组织和个人从业人员尤其有用，例如ICC商业网络安全指南。

In this context, also consider whether any specific technical standards should be adopted based on the types of disputes or information that typically arise in one’s arbitration practice (e.g., personal data, aerospace and defense disputes, etc.), and governmental regulations that may apply as a result.

在这种情况下，还应考虑是否应根据仲裁实践中通常发生的纠纷或信息的类型（例如，个人数据，航空航天和国防纠纷等）以及可能适用的政府法规，采用任何特定的技术标准。

II. Asset Management 资产管理

Know assets and infrastructure. An important first step to implementing appropriate security controls and safeguards is to know one’s own data security infrastructure, including professional and personal networks and network appliances (e.g., routers and firewalls), computers, tablets, smartphones, other portable devices (such as USB drives), computer appliances (e.g., printers, scanners, internet protocol enabled video and security devices, fax machines), cloud services, software programs and apps, remote access tools, and back-up services.

了解资产和基础设施。实施适当的安全控制和保障措施的重要的第一步是了解自己的数据安全基础设施，包括专业和个人网络以及网络设备（例如路由器和防火墙）、计算机、平板电脑、智能手机以及其他便携式设备（例如USB驱动器）、计算机设备（例如打印机、扫描仪、支持网络协议的视频和安全设备、传真机）、云服务、软件程序和应用、远程访问工具以及备份服务。

It is important to have an understanding (if not a written inventory) of where data resides in, and flows through, one’s digital infrastructure (or, as noted below, to be able to reasonably rely on one’s organization to have that understanding). For example, an arbitrator who uses a personal tablet to review pleadings and case-related communications should know whether the documents will be stored locally on the tablet by default, on a server for applications that are used to review these documents, and/or on a cloud storage site. One should also bear in mind that confidential data may reside in non-digital formats, such as paper files.

重要的是要了解（如果不是书面清单）数据在数字基础架构中的位置和流动（或者，如下所述，能够合理地依靠组织来理解）。例如，使用个人平板电脑审阅诉状并进行与案件相关通讯的仲裁员应知道文档是否在平板电脑上默认存储于本地，和/或用于审阅这些文件的应用程序的服务器上云存储站点。还应记住，机密数据可能以非数字格式（如纸质文件）保存。

In most cases, individuals who work in an organization that supplies systems and other resources, together with information systems support, may reasonably rely on those resources to maintain the requisite knowledge of infrastructure, data flows, and other aspects of security, provided that the organization has taken care to implement reasonable security measures and that the individual is aware of the organizational practices and policies that apply to him or her and adheres to them. Such individuals will still need to consider data flow in connection with personal devices and infrastructure, such as any technology in a home office that is also used for work purposes.

在大多数情况下，在提供系统和其他资源以及信息系统支持的组织中工作的个人可以合理地依靠这些资源来维护对基础结构、数据流和其他安全方面的必要知识，但前提是该组织已采取合理的安全措施，且个人了解适用于他/她并遵守的组织惯例和政策。这样的人仍然需要考虑与个人设备和基础设施有关的数据流，例如家庭办公室中也用于工作的任何技术。

Once one is cognizant of their own digital architecture and data flows, they can take steps to mitigate the risk of security incidents from basic security vulnerabilities.

一旦意识到自己的数据体系结构和数据流，他们就可以采取措施来减缓基本安全漏洞带来的安全事故风险。

Identify sensitive data and take steps to minimize and protect it. Persons involved in international arbitrations maintain a wide array of data, ranging from data that is publicly available to data that is highly sensitive because of its confidential, commercial or personal nature. To minimize the risks of unauthorized users gaining access to sensitive data, as a general practice, it is a good idea not to accept or request sensitive data that is not needed for one’s work and not to share data with anyone who does not similarly have a need for it. Such “data minimization” may also be required by various data privacy laws, such as the E.U.’s General Data Protection Regulation (GDPR).

识别敏感数据和采取措施将其最小化并保护。参与国际仲裁的人员维护着广泛的数据，从公开可用的数据到因机密、商业或个人性质而高度敏感的数据。通常，为了最大程度地减少未经授权的用户访问敏感数据的风险，最好不要接受或请求工作不需要的敏感数据，也不要与没有类似工作经验的人且对此不必需的人共享数据。各种数据隐私法也可能要求这种“数据最小化”，例如欧盟的《通用数据保护条例》（GDPR）。

Other general measures available to protect data that is deemed to warrant additional protection include, without limitation:

可用于保护被认为需要进一步保护的数据的其他一般措施包括但不限于：

redacting(or “masking”) information (e.g., redacting party names and other identifying information in procedural orders that an arbitrator maintains from a closed matter for future consideration in other cases); and

修改（或“掩盖”）信息（例如，按照仲裁员保留的程序顺序修改当事人姓名和其他识别信息，以备将来在其他情况下使用）；和

adding confidentiality designations to the names of documents or folders or confidentiality legends within documents so that: (i) users will consider transmitting such information by more secure means; (ii) unauthorized recipients will be alerted and on notice that they should delete or return the data if it is inadvertently disclosed; and/or (iii) the information can be readily and securely deleted when it is no longer needed.

在文件或文件夹的名称或文件中的保密性说明中添加保密性标记，以便：（i）用户将考虑通过更安全的方式传输此类信息；（ii）未经授权的接收者将收到警报，并受到通知，如果不经意地泄露了数据，则应删除或返回；和/或（iii）不再需要该信息时，可以轻松安全地删除该信息。

Avoid unnecessary multiple copies of documents. Avoid maintaining unnecessary multiple copies of digital or physical files and take steps to routinely look for and securely dispose of them. Be alert to the existence of copies that are created by popular digital mark-up tools, in email transmissions, through the unintentional storage of copies in cloud services linked to popular software services, such as iCloud, Adobe Creative Cloud, Microsoft Cloud, etc., and in “download” folders, and securely delete copies that are no longer required.

避免不必要的多份文档副本。避免维护不必要的数字或物理文件的多个副本，并采取措施定期查找并安全处置它们。将副本无意中存储在链接到流行软件（例如iCloud，Adobe Creative Cloud，Microsoft Cloud等）的云服务中，警惕电子邮件传输中流行的数字标记工具创建的副本的存在，在“下载”文件夹中安全删除不再需要的副本。

Establish document retention and destruction practices. Consider implementing document retention and destruction practices to minimize holding data that is no longer required or no longer serves a business purpose, taking into account applicable legal or ethical obligations, rules relating to the correction of awards and award recognition/enforcement proceedings, and legitimate interests in retaining information. Where documents and data from closed matters are retained for conflict checking, tax purposes, precedent purposes, or for other legitimate reasons, consider whether some or all of the data can be anonymized or redacted and whether it can or should be stored in archived form (e.g., segregated from active files on an offline, encrypted hard drive or secure cloud service).

建立文件保存和销毁惯例。考虑按文件保存和销毁惯例实施，考虑适用的法律或道德义务，与裁决的更正、认可/执行程序有关的规则以及合法权益，以尽量减少不再需要或不再用于商业目的的数据保留。如果出于冲突检查、税收目的、惯例目的或其他正当理由保留了已关闭事项的文档和数据，请考虑是否可以对部分或全部数据进行匿名化或删节，以及是否可以或应该以存档形式存储（例如，与离线、加密硬盘驱动器或安全云服务上的活动文件分开）。

Data that is no longer needed should be securely destroyed. Paper files should be shredded while digital devices and files should be securely wiped or deleted. Be sure to empty digital “trash” folders regularly and be aware that documents that have been “deleted” on a device still may be recoverable with forensic tools that are in widespread use. Consider using special programs that over-write deleted data to dispose of particularly sensitive data and always use such programs before disposing of a device.

不再需要的数据应安全地销毁。纸质文件应切碎，而数字设备和文件应安全拭除或删去。确保定期清空数字“回收站”文件夹，并注意使用广泛使用的取证工具仍可以恢复设备上“删除”的文档。考虑使用覆盖已删除数据的特殊程序来处置特别敏感的数据，并始终在处置设备之前使用此类程序。

Enable remote location tracking and data wiping functions. Enable remote location tracking and wiping functions that are available on mobile devices, including phones, tablets, and laptops, and take special care to securely wipe data from devices that are no longer in use. Examples include the “Find My iPhone” or “Find My Mac” capability on Apple devices, and the Android and Windows “Find My Device” capability. In larger organizations, systems support personnel may ensure that these functions are implemented in devices owned by the organization, whereas it may be the responsibility of individual users to adjust these settings on their authorized personal devices.

启用远程位置跟踪和数据清除功能。启用包括手机、平板电脑和笔记本电脑在内的移动设备上可用的远程位置跟踪和擦除功能，并格外小心，以安全地擦除不再使用的设备中的数据。示例包括苹果设备上的“查找我的iPhone”或“查找我的Mac”功能，以及安卓和Windows的“查找我的设备”功能。在大型组织中，系统支持人员可以确保在组织拥有的设备中实现这些功能，而各个用户可能有责任在其授权的个人设备上调整这些设置。

Minimize access to sensitive data while traveling. The nature of international arbitration is such that significant travel is often involved. Travel creates risks for information security caused by traveling with arbitration related information, the use of non-secure networks, and other similar issues.

减少旅行时对敏感数据的访问。国际仲裁的性质决定了常涉及大量旅行。差旅可致信息安全风险，因携带仲裁相关信息，使用非安全网络以及其他类似问题而造成。

Some measures that one may consider to minimize travel-related risks are, among others:

Turn off laptops and mobile devices before passing through border security and set them so that applications and documents do not automatically load when they are turned on. This may make it more difficult for data to be accessed (e.g., by activating full-disk encryption), though beware that in some countries, including the United States and Canada, border officials may have authority to search the content on electronic devices, including by compelling the holder to provide password or biometric (e.g., fingerprint or face recognition) access.

可考虑采取的一些措施，以尽量减少与旅行有关的风险，包括：

在通过边境安全检查之前，请关闭笔记本电脑和移动设备并进行设置，以使应用程序和文档在打开时不会自动加载。尽管要注意在包括美国和加拿大在内的某些国家/地区，边境官员可能有权在电子设备上搜索内容，但这可能会使数据访问（如通过激活全盘加密）变得更加困难。通过强迫持有人提供密码或生物特征（例如指纹或面部识别）访问。

Donot travel with devices that are not needed or consider traveling with a dedicated “clean” or “burner” device (i.e., a device that is reserved for travel purposes that does not have e- mail or cloud applications installed on it and that stores only data that is essential for use in transit). One may then log in to e-mail and cloud content remotely over a secure network at the destination.

请勿携带不需要的设备旅行，或考虑使用专用的“清洁”或“燃烧器”设备旅行（即为旅行目的而预留的设备，该设备上未安装电子邮件或云应用程序，且仅存储在运输中必不可少的数据）。然后，人们可以通过目的地的安全网络远程登录电子邮件和云内容。

Where the travel mode feature is available for a password manager, take advantage of it to temporarily disable access to sensitive passwords.

如果密码管理器可以使用旅行模式功能，请利用它暂时禁用对敏感密码的访问。

Mark and segregate privileged and confidential files in a separate digital folder so that they can readily be identified as such. If questioned, assert applicable privilege or confidentiality protections when border authorities seek to access the data.

标记特权文件和机密文件并将其隔离在单独的数字文件夹中，以便可以轻松地对其进行标识。如有疑问，请在边境当局寻求访问数据时声明其适用的特权或机密保护。

Schedule E contains references to further guidance regarding the protection of data at border crossings.

附表E载有关于在过境点保护数据的进一步指导的参考。

Back-up data. Make routine secure and redundant data back-ups. Redundant data back-ups allow the recovery of information in the event data is lost or compromised due to human error, technical failure, ransomware attack, fire, or otherwise. One approach is to follow the so- called 3-2-1 rule, which means there should be three copies of the data in total, two different storage media should be used (e.g., one physical external and encrypted back-up drive could be used, together with a cloud-based back-up service), and one copy should be stored offsite (e.g., in the cloud). It is also commonly recommended that a “cold” back-up (i.e., a back-up that is kept offline and disconnected from one’s network) be maintained so that if one’s network is compromised, there will be an uncompromised back-up of the network data.

备份数据。进行常规的安全和冗余数据备份。冗余数据备份可由于人为错误、技术故障、勒索软件攻击、火灾或其他原因而丢失或破坏数据的情况下恢复信息。一种方法是遵循所谓的3-2-1规则，这意味着总共应该有三个数据副本，应使用两个不同的存储介质（如可以使用一个物理外部驱动器和加密的备份驱动器（与基于云的备份服务一起使用）和一个存储在异地的副本（如云端）。通常还建议维护“冷”备份（即保持脱机并与网络断开连接的备份），如果某人的网络受到损害，将对网络数据进行不妥协的备份。

III. Access Controls 访问控制

Access controls determine who has authority to access accounts, devices, and information and what privileges they have with respect to those accounts, devices, and information. Among other things, access controls include user account management, strong and complex pass words, multi-factor authentication, and/or secure password storage.

访问控制确定谁有权访问帐户、设备和信息，以及他们对这些帐户、设备和信息具有什么特权。访问控制包括用户帐户管理、强而复杂的密码、多因素身份验证和/或安全密码存储。

Consider access control policies. Robust accesscontrols should be considered and implemented throughout one’s digital architecture as necessary to protect information from unauthorized users. For example, it may be appropriate to establish rules, among other things, for how users in the organization are to create strong passwords, how they are to store them securely, how often they are to change them, restrictions on sharing passwords, what should be password-protected (ranging from routers and printers to mobile devices, software applications, and documents or folders), and what should additionally be subject to multi-factor authentication.

考虑访问控制策略。应当在整个数字体系结构中考虑并实施强大的访问控制，以保护信息免受未经授权的用户的侵害。例如，在组织中的用户如何创建强密码，如何安全地存储密码，多久更改一次密码，限制共享密码，应该做什么等方面建立规则可能是适当的。受密码保护（从路由器和打印机到移动设备、软件应用程序以及文件或文件夹），并且还应受多因素身份验证。

Establish strong passwords or biometric controls. Access to accounts, devices, and information typically is protected by gateway security such as a password or biometric identification (e.g., finger prints,face recognition, retinal scan).

建立强力密码或生物识别控制。帐户、设备和信息的访问通常受到网关安全性的保护，如密码或生物识别（例如指纹、面部识别、视网膜扫描）。

While the trend is towards increased use of biometrics, which are convenient and considered secure, most users will have a continuing need for the foreseeable future to create passwords. Key recommendations made by the United States National Institute of Science andTechnology (“NIST”) include that passwords should be based on unique passphrases, at least 8 characters long, and easily remembered. A pass phrase(or “memorized secret”)is a sequence of words or text that is longer than a typical password (i.e.,longer than 6-10 characters) and easy for the user to remember, but hard for anyone else (even someone who knows the user well) to guess. Thus, common dictionary words, popular quotes, past passwords, repetitive or sequentia lcharacters, and context-specific words (such as derivatives of the service being used) should be avoided. Mixtures of different character types can also be used in a passphrase, but are not strictly necessary.

尽管趋势是越来越多地使用方便且被认为安全的生物识别技术，但在可预见的将来，大多数用户仍将需继续创建密码。美国国家科学技术研究院（“NIST”）提出的主要建议包括：密码应基于唯一的密码短语，至少8个字符长，并且易于记忆。密码短语（或“记忆秘密”）是一系列单词或文本，比典型的密码（即长度超过6-10个字符）长，用户易于记忆，但对其他任何人（即使是非常了解用户）进行猜测。因此，应避免使用常见的词典词、常用引号、过去的密码、重复或连续的字符以及上下文相关的词（例如所使用服务的派生词）。密码短语中也可以使用不同字符类型的混合物，但这不是严格必需的。

Consider password-change intervals. Arbitral participants may also consider how frequently they change passwords, including consideration of whether there are indications that any previous passwords have been compromised. For example, there are publicly available websites such as www.haveibeenpwned.com that may indicate whether any prior passwords have been compromised as the result of prior data breaches.

考虑密码更改间隔。仲裁参加者还可以考虑他们更改密码的频率，包括是否有迹象表明以前的任何密码已被泄露。例如，存在公开可用的网站，如www.haveibeenpwned.com，该网站可能指示是否由于先前的数据泄露而破坏了任何原密码。

Consider password managers. Security professionals often recommend the use of password managers, which are software applications that generate, store, and manage passwords. When a password manager is in place, the user need only create and remember one complex master password, thereby making it practicable for arbitrators, parties, and administering institutions to use stronger, unique passwords for every account/service being used, and to change them from time to time. Some password managers also offer an audit feature which helps identify vulnerable passwords and/or have special travel settings that can be used to limit access to sensitive sites and passwords during border crossings and travel to vulnerable destinations. Before choosing a password manager, among other things, it is important to consider the commercial reputation of the service and how it handles data recovery.

考虑使用密码管理器。安全专业人员通常建议使用密码管理器，它是生成、存储和管理密码的软件应用程序。使用密码管理器后，用户只需创建并记住一个复杂的主密码，即可使仲裁员、当事人和管理机构为所使用的每个帐户/服务使用更强大的唯一密码，并进行更改时。一些密码管理器还提供了审核功能，可帮助识别易受攻击的密码和/或特殊旅行设置，可用于限制在过境和前往易受攻击的目的地期间对敏感站点和密码的访问。在选择密码管理器之前，除其他事项外，重要的是要考虑服务的商业信誉以及它如何处理数据恢复。

Use multi-factor authentication where available. Multi-factor authentication requires additional proof of identity beyond a password at the time of login. The control may consist of entering a special code transmitted by the provider to the user at login via text message, email, or a special dedicated device, such as an authentication token.

尽可能使用多重身份验证。在登录时，多重身份验证需要密码以外的其他身份证明。该控制可包括输入在登录时由提供商通过文本消息、电子邮件或特殊专用设备（如认证令牌）发送给用户的特殊代码。

Given the frequency with which arbitrators, parties, and administering institutions, that are involved in international arbitrations, travel, they may wish to ensure that any secondary authentication factor is available offline or that there is a back-up offline alternative (such as a physical static security token or key that plugs into the device) to provide the authentication.

考虑到参与国际仲裁的仲裁员、当事人和管理机构的差旅频率，他们可能希望确保任何辅助身份验证因素都可以脱机使用，或存在备用的脱机替代方法（如静态安全令牌或插入设备的密钥）以提供身份验证。

In some cases (when logging into e-mail, for example), it may also be possible to simplify the use of multi-factor authentication and avoid issues arising from lack of internet connectivity while traveling by entering the secondary authentication factor one-time and designating the device being used as a “trusted device.” When this is done, the additional authentication is only required when a new or different device, such as a public computer, is being used.

在某些情况下（如登录电子邮件时），也可以通过一次输入辅助身份验证因素来简化多重身份验证的使用，并避免旅行时因互联网连接不足而引起的问题。指定要用作“受信任设备”的设备。完成此操作后，仅在使用新设备或其他设备（如公用计算机）时才需要进行附加身份验证。

Multi-factor authentication may be considered, in particular, for obtaining remote access to networks, systems, or platforms that contain confidential or sensitive information.

尤其可以考虑使用多重身份验证来获得对包含机密或敏感信息的网络、系统或平台的远程访问。

Set up separate administrator and user accounts. An administrator account is a user account that has greater privileges than an ordinary user, such as to install new programs or hardware, change the usernames and passwords of others, access critical system files, and/or change security settings. To reduce the damage that a malicious program or attacker could do if they gain access to a system or account, it is generally advisable to use a standard user account (when logging in to one’s computer, for example) for day-to-day work rather than an administrative account. A standard user account should have a different password than the administrative account.

设置单独的管理员和用户帐户。管理员帐户是具有比普通用户更大特权的用户帐户，如安装新程序或硬件、更改其他用户的用户名和密码、访问关键系统文件和/或更改安全设置。为了减少恶意程序或攻击者访问系统或帐户可能造成的损害，通常建议使用标准用户的帐户（如登录到计算机时）进行日常工作，而不是管理帐户。标准用户的帐户密码应与管理帐户的密码不同。

Periodically review user privileges. Organizations should review access control lists and user privileges for systems and accounts on a periodic basis (e.g., quarterly or annually, depending on the size of the organization, and otherwise in the event of personnel changes) and disable access for former employees and others who no longer require access.

定期查看用户特权。组织应定期（如每季度或每年，取决于组织的规模，否则在人员变动的情况下）查看系统和帐户的访问控制列表和用户权限，并禁止以前的员工和其他不再需要访问权限的人。

IV. Encryption 加密

Encryption is a process that uses an algorithm to transform information to make it unreadable to unauthorized persons. Encrypted data appears as unreadable cipher text except when decrypted with one or more encryption “keys.”

加密是使用算法转换信息以使未经授权的人无法读取的信息的过程。加密的数据显示为不可读的密文，除非使用一个或多个加密“密钥”解密。

Encrypt data in transit. Arbitral information should generally be protected during transmission using industry-standard encryption technology. Most e-mail and cloud services, with the notable exception of some free e-mail services, use transport layer security by default to protect all e-mail and documents while they are in transit over the internet. Note, though, that this is not full end-to-end encryption and the data is decrypted for processing at various steps in transit. Especially sensitive documents and communications should be transmitted by other means. As explained below regarding communications security, if an unprotected Wi-Fi network is being used, measures to ensure that information will be encrypted in transit include using a reputable,commercial virtual private network and using websites that employ HTTPS security.

加密传输中的数据。通常应在传输过程中使用行业标准的加密技术来保护仲裁信息。大多数电子邮件和云服务，除了一些免费的电子邮件服务外，在默认使用传输层安全性来保护所有通过网络传输的电子邮件和文档。但是请注意，这不是完全的端到端加密，并且将数据解密以在传输中的各个步骤进行处理。特别敏感的文件和通讯应通过其他方式传输。如以下有关通信安全性的说明，如果使用不受保护的无线网络，则确保信息在传输过程中将被加密，包括使用信誉良好的商业虚拟专用网络以及使用HTTPS安全性的网站。

Third-party encryption software may be considered where it is appropriate to have end-to-end encryption of e-mail messages (i.e., to ensure that there is not only a secure connection for transmissions, but also that messages can be viewed only by the sender and the recipient).

在适合对电子邮件进行端到端加密的情况下，可以考虑使用第三方加密软件（即确保不仅存在用于传输的安全连接，且仅可以由发送者和接收者查看消息）。

Consider file-level encryption. Where appropriate, specific documents or folders may be encrypted before being transmitted. Many popular applications such as Microsoft Office documents provide the option to add a password to a file to encrypt its contents.

考虑文件级加密。在适当的情况下，可以在传输特定文件或文件夹之前对其进行加密。许多流行的应用程序（例如MicrosoftOffice文件）都提供了向文件添加密码以加密其内容的选项。

Enable full-disk encryption.To guard against unauthorized access of digital information due to loss or theft of a laptop or other mobile device, enable full-disk encryption to protect the entire hard drive of the device from all persons who lack proper sign-on credentials. On a laptop, the option to enable full-disk encryption is now built-in to the operating software (known as “BitLocker” on Windows systems and “FileVault” on Apple systems), but it must be enabled. Once enabled, a user will need an account password to logon to the device and the hard drive will be encrypted when the device is turned off (i.e., not when it is sleeping). Android and iOS devices also support full-disk encryption, as do many portable storage devices such as USB drives.

启用全盘加密。为了防止由于笔记本电脑或其他移动设备的丢失或失窃而导致未经授权的数字信息访问，请启用全盘加密，以保护设备的整个硬盘驱动器免受所有缺少正确登录凭据的人员的侵害。在笔记本电脑上，启用全盘加密的选项现已内置在操作软件中（在Windows系统上称为“ BitLocker”，在苹果系统上称为“FileVault”），但必须将其启用。启用后，用户将需要一个帐户密码才能登录到该设备，并且在关闭设备时（即当它并非睡眠时），硬盘驱动器将被加密。安卓和iOS设备还支持全盘加密，许多便携式存储设备（如USB驱动器）也支持全盘加密。

Consider encrypting data in the cloud. It is generally appropriate to encrypt data before it is uploaded to a file-sharing or cloud storage service. Always use “business” or “professional” versions of such services and avoid free consumer versions, which tend to have less robust security. Some services make use of a “zero-knowledge” protocol, which means that two encryption keys are required to decipher encrypted data and the subscriber can maintain sole custody of one of the keys in a readable format rather than sharing it with the cloud provider. This feature provides the significant advantage that even if the service itself suffers a security breach, the user’s data should remain inaccessible to the intruder.

考虑在云中加密数据。通常，在将数据上传到文件共享或云存储服务之前，先对其进行加密。始终使用此类服务的“企业”或“专业”版本，并避免使用免费的消费者版本，因为这些版本的安全性较弱。某些服务使用“零知识”协议，这意味着需要两个加密密钥来解密加密的数据，并且订阅用户可以可读格式维护其中一个密钥的唯一保管权，而不是与云供应商共享。此功能提供了显着的优势，即使服务本身遭受安全漏洞，入侵者也应无法访问用户的数据。

V. Communications Security 通讯安全

Be skeptical of attachments and links. Phishing attacks are commonplace and sometimes highly sophisticated in mimicking known or authorized sources. Download programs and digital contentonly from known legitimate sources and do not open attachments or click on links from unknown email senders. Sometimes, a malicious e-mail or link may be identified simply by double-checking the sender’s e-mail address for a discrepancy or hovering over, but not clicking on, a link to reveal an unrelated web address. Moreover, if in doubt about the legitimacy of an email, contact the sender directly by telephone. Instead of clicking on the link in an email, enter the correct URL of the site in a browser and navigate directly to the website. Provide passwords or personal identifying information only when certain the request is from a legitimate website and exercise extreme caution if a site asks for such information to be re-entered. Seek out anti-phishing training.

怀疑附件和链接。网络钓鱼攻击很普遍，有时在模仿已知或授权来源时也非常复杂。仅从已知的合法来源下载程序和数字内容，而不打开附件或点击来自未知电子邮件发件人的链接。有时候，只需仔细检查发件人的电子邮件地址是否存在差异，或者将鼠标悬停在链接上（但不要点击链接）以显示不相关的网址，就可以识别出恶意电子邮件或链接。此外，如果对电子邮件的合法性有疑问，请直接与发件人通话联系。不用点击电子邮件中的链接，而是在浏览器中输入正确的网站URL，然后直接导航到该网站。仅当请求来自合法网站时才提供密码或个人识别信息，如果网站要求重新输入此类信息，请格外小心。寻求反网络钓鱼培训。

Consider secure share-file services in lieu of e-mail. Where appropriate, file-sharing or cloud storage services may be used as an alternative to e- mail for more secure transmissions. Cloud storage is a service that maintains data on remote servers that are accessed over the internet. Third party cloud storage can provide better security than an individual practitioner or small organization can reasonably provide on its own. The use of a reputable cloud service with appropriate security controls can thus be a convenient, secure, and appropriate way to store and share data.

考虑使用安全的共享文件服务代替电子邮件。在适当的情况下，可以使用文件共享或云存储服务来替代电子邮件，以实现更安全的传输。云存储是一项服务，用于维护通过网络访问的远程服务器上的数据。第三方云存储可以提供比个人从业人员或小型组织可以合理自行提供的更好的安保。因此，将信誉良好的云服务与适当的安全控制一起使用可以是一种方便、安全且适当的方式来存储和共享数据。

Numerous bar association opinions in the United States have considered what due diligence should be undertaken to determine whether the use of a particular cloud storage technology or service provider is consistent with a lawyer’s duty to maintain confidentiality (see Schedule E). The requirements typically include factors such as having a reasonable understanding of the provider’s security system and its commitment to maintaining confidentiality, provisions for the user’s access, protection and retrieval of data, notice provisions when third parties seek access to data, and regulatory, compliance and document retention obligations that may depend on the nature of the data and the location of the provider’s servers.

美国许多律师协会的意见都考虑了应进行何种尽职调查，以确定使用特定的云存储技术或服务提供商是否符合律师的保密义务（请参阅附表E）。这些要求通常包括一些因素，如对供应商的安全系统及其对保密的承诺有合理的了解，用户访问、保护和检索数据的规定，第三方寻求访问数据时的通知的规定以及法规、合规和文档保留义务可能取决于数据的性质和提供商服务器的位置。

Avoid public networks or, if necessary, mitigate risks of use. Avoid unprotected use of public internet networks in hotels, airports, coffee shops, and elsewhere. Public Wi-Fi networks may provide hackers with access to unsecured devices on the same network, allow them to intercept password credentials, or to distribute malware. Instead of public networks, it may be preferable to use personal cellular hotspots or a wireless tether to establish an internet connection.

避免使用公共网络，或者在必要时降低使用风险。避免在酒店、机场、咖啡店和其他地方无保护地使用公共互联网。公共Wi-Fi网络可能会为黑客提供访问同一网络上不安全设备的权限，允许他们拦截密码凭据或分发恶意软件。除公共网络，更可取的可能是使用个人蜂窝热点或无线网络建立互联网连接。

If it is deemed necessary to connect to a public network, the risks of such a connection may be mitigated by:

如果认为有必要连接到公共网络，则可以通过以下方法减轻这种连接的风险：

where possible, checking the authenticity of the network username and any password with the network’s owner, to avoid connecting to an impostor network;

尽可能与网络所有者检查网络用户名和密码的真实性，以避免连接到冒名网络；

limiting the length of the connection time (e.g., to the time needed to send drafted messages and to download new ones);

限制连接时间的长度（如限制发送草稿消息和下载新消息所需的时间）；

using a reliable, commercial (paid) virtual private network (VPN) service, the purpose of which is to establish an encrypted connection over the internet for the secure transmission of data and to allow users to mask their identity from others on the network by identifying the user through the VPN; and/or

使用可靠的商业（收费）虚拟专用网（VPN）服务，其目的是在网络上建立加密连接以安全地传输数据，并允许用户通过以下方式从网络上的其他用户中屏蔽自己的身份，通过VPN识别用户；和/或

when accessing confidential information, avoiding to connect to websites that fail to use enhanced HTTPS (which stands for hypertext transfer protocol secure and encrypts the transmission of data between two devices connected over the internet) security, as indicated in web addresses that begin with “https” rather than “http.”

当访问机密信息时，避免连接到未能使用增强的HTTPS（代表超文本传输协议安全并对通过网络连接的两个设备之间的数据传输加密）的网站，如以“https”开头而不是“http”。

VI. Physical and Environmental Security 物质安全和环境安全

Physical access to information resources should be controlled to prevent unauthorized access, damage, or interference. Preventing loss or theft of devices is especially important because many cases of digital intrusion begin with simple human error, such as leaving laptops behind in airport security lines or using non-secure computers or printers in airline clubs or hotel business centers, where copies may persist in the memory of the shared devices.

应控制对信息资源的实际访问，以防止未经授权的访问、损坏或干扰。防止设备丢失或被盗尤其重要，因为许多数字入侵事件都是从简单的人为错误开始的，例如将笔记本电脑留在机场安检线上，或在航空俱乐部或酒店商务中心使用不安全的计算机或打印机，在这些地方，共享设备的内存中可能存在副本。

Consider the risks of portable storage media.Consider the risks of using portable storage media, such as USB or “thumb” drives, which are small and easily misplaced. Never use a USB or other portable peripheral device unless you know its source, as such devices can be loaded with malicious software. Risks associated with these devices may be mitigated by encrypting the data and password-protecting the devices.

考虑便携式存储介质的风险。考虑使用便携式存储介质的风险，如USB或“拇指”驱动器，它们很小，很容易放错地方。永远不要使用USB或其他便携式外围设备，除非你知道它的来源，因为这样的设备可以加载恶意软件。通过对数据进行加密和对设备进行密码保护，可以降低与这些设备相关的风险。

Passwords should not accompany the drive or be transmitted in a way that is easily matched to the drive. For example, the password may be provided separately by telephone or text message.

密码不应与驱动器一起使用，也不应以易于与驱动器匹配的方式传输。例如，密码可以通过电话或短信单独提供。

Lock devices. Turn off and lock computers (with a cable lock orin a docking station) when they are not in use or when away from them more than momentarily. Laptops and mobile devices should be configured to automatically lock screens after a certain period of inactivity(e.g., 5 or 10 minutes).

锁定装置。当计算机未被使用或暂时离开时，关闭并锁定计算机(使用电缆锁或在扩展坞中)。笔记本电脑和移动设备应当设置为在一段不活动时间后(如5分钟或10分钟)自动锁定屏幕。

Secure paper files. Take care to protect the information contained in paper copies of arbitration-related data. If possible, work in a dedicated location and restrict access to that area. Maintain files in secure locations and safeguard them against disasters such as fire and floods.

保护纸质文件。注意保护与仲裁相关数据的纸质副本中包含的信息。如果可能的话，在一个专门的位置工作，并限制对该区域的访问。将文件保存在安全的地方，并防止火灾和洪水等灾害。

Do not leave documents unattended. Whenever any confidential data is shipped, make it a practice to track packages and ensure that packages will not be left unattended upon delivery (requiring signature, if necessary). Similarly, do not leave confidential data unattended on a printer, fax machine, or scanner.

不要让文件无人看管。无论何时发运任何保密数据，务必跟踪数据包，确保数据包在发运时不会无人看管(如必要，请签字)。同样，不要在打印机、传真机或扫描仪上遗漏机密数据。

Guard against “visual hacking.” Consider using privacy screens for laptops and mobile devices when accessing confidential information or accounts while in transit or in public or semi-public places.

防范“可视黑客行为”。在运输途中或在公共场所或半公共场所访问保密信息或账户时，考虑使用笔记本电脑和移动设备的隐私屏幕。

VII. Operations Security 操作安全

Use professional, commercial products and tools. Avoid free or consumer versions of products and tools such as e-mail services, cloud share-file services, virtual private networks, and anti-virus software. Business and professional (or “enterprise”) versions of the same tools frequently are available at a minimal cost and generally include more robust security protection. Implement available security features of these products and tools in consultation with their customer service representatives and/or information technology or information security personnel about appropriate security settings.

使用专业、商业产品和工具。避免使用电子邮件服务、云共享文件服务、虚拟专用网络、防病毒软件等产品和工具的免费或消费者版本。经常以最低成本获得相同工具的业务版和专业版(或“企业版”)，通常包括更强大的安全保护。与客户服务代表和/或信息技术或信息安全人员就适当的安全设置进行协商，实现这些产品和工具的可用安全特性。

Do not share devices and accounts. Avoid sharing devices or accounts (such as laptops, e-mail, and cloud storage) that contain business confidential information with family members or others not directly involved in one’s business.

不共享设备和帐户。避免共享包含业务的设备或账户(如笔记本电脑、电子邮件和云存储)

Guard digital perimeters. Measures such as firewalls, antivirus, and anti-malware and anti-spyware software, which are widely available from numerous reputable vendors, guard digital “perimeters.” These tools typically offer multiple settings so that the products can be customized for various users. For example, a solo practitioner or small business looking for anti-virus and anti-malware protection may consider a business or professional application (as opposed to a free, consumer version) that offers the ability to continuously scan the device or network rather than requiring manual initiation of the scan.

保护数字外围。防火墙、防病毒以及反恶意软件和反间谍软件等措施保护数字“外围”，这些措施可从众多声誉良好的供应商处广泛获得。这些工具通常提供多个设置，以便为不同的用户定制产品。例如，寻求防病毒和防恶意软件保护的个体从业人员或小企业可能考虑一项业务或专业应用程序(而不是免费的消费者版本)，提供持续扫描设备或网络的能力，而不需要手动启动扫描。

Promptly install software updates and patches. It is critically important to promptly install updates and patches to operating systems and other software applications. Vendors frequently release updates and patches as an immediate response to identified security threats. Time is then of the essence to avoid the threat which the patch is intended to address. Avoid using any software that a developer has stopped supporting by releasing patches since unsupported software is an attractive target for malicious actors.

及时安装软件更新和补丁。及时安装操作系统和其他软件应用程序的更新和补丁非常重要。供应商经常发布更新和补丁，作为对已识别的安全威胁的即时响应。因此，时间是避免补丁所要解决的威胁的关键。通过发布补丁来避免使用开发人员已经停止支持的任何软件，因为不支持的软件是恶意参与者的目标。

Monitor for vulnerabilities. Arbitrators, parties, and administering institutions should regularly consider the scope and effectiveness of their security practices and take steps to remediate or mitigate any security weaknesses that they identify through such systematic reviews. Among other things, for example, this may entail automated scans for updates and patches to operating systems and software; automated scans formal ware; reviewing account access logs for, or receiving alerts of, unauthorized access to critical services; and/or configuring systems or services to identify weak password credentials.

监视漏洞。仲裁员、当事人和管理机构应当定期考虑其安全实践的范围和有效性，并采取措施补救或减轻其通过系统性审查发现的任何安全缺陷。例如，这可能需要自动扫描操作系统和软件的更新和补丁;自动扫描恶意软件;查看未经授权访问关键服务的帐户访问日志或接收对该关键服务的警报;和/或配置系统或服务以识别弱密码凭据。

VIII. Information Security Incident Response 信息安全事故应对

Notwithstanding the implementation of security and data protection measures, cybersecurity incidents occur with some frequency. Applicable law and sometimes professional or ethical obligations may impose breach response obligations, which may include notification to affected persons and other remediation measures. Arbitrators, parties, and administering institutions should consider having an incident response plan prepared in advance that includes specific plans and procedures for responding to a breach, and should also be aware that such plans and procedures could be required by applicable law. The planning and response will be facilitated by awareness of one’s digital architecture and the location of one’s data. It also is advisable toconsider obtaining cybersecurity risk insurance, which may be available through bar associations or other sources.

尽管采取了安全和数据保护措施，网络安全事件还是会经常发生。适用的法律及有时包括的职业义务或道德，可能会构成违反应对义务，其中可能包括通知受影响的人和其他补救措施。仲裁员、当事人和管理机构应考虑事先制定的事故应对方案，其中包括应对违规行为的具体计划和程序，并且还应意识到适用的法律可能会对此类计划和程序有要求。对个人数字体系结构和数据位置的了解将有助于计划和应对。还可考虑网络安全风险保险，该保险可以通过律师协会或其他来源获得。

Schedule B

Arbitration Information

Security Risk Factors

附表B

仲裁信息安全风险因素

Information security risk in an arbitration is a function of: the nature of the information being processed; the risks related to the subject matter of the arbitration and the participants in the process; other factors impacting the risk profile of the arbitration; and the foreseeable consequences of a breach.

仲裁活动中的信息安全风险主要有以下几个方面:信息被处理的性质;与仲裁标的和仲裁参与人相关的风险;其他影响仲裁风险的因素;违约行为可预见的后果。

Careful consideration of the risk profile of the arbitration will inform the determination of the reasonable measures to be applied in the arbitration pursuant to Principle 6. In some cases, the risk profile analysis may lead to classification of the arbitration data into different risk categories that may require differing measures of protection.

仔细考虑仲裁风险状况将有助于根据原则6确定在仲裁中适用的合理措施。在某些案件中，风险状况分析可能导致将仲裁数据划分为不同的风险类别，并可能要求不同的保护措施。

The following list is intended to help the parties and the tribunal assess the risk profile of the arbitration.

以下清单旨在帮助当事人和仲裁庭评估仲裁的风险概况。

I. Nature of the Information 资料的性质

As concerns the nature of information that is likely to be processed in the arbitration, the following factors, among others, may be considered:

关于可能在仲裁中被处理的信息的性质，除其他因素外，还可考虑下列因素:

(a) whether personal data, also referred to as personally identifying information (“PII”), will be processed;

个人数据(亦称为个人身份信息，“个人身份信息”)是否将得到处理;

(b) whether sensitive data that is legally regulated or protected will be processed (for example, under data protection legal regimes, laws or regulations protecting health data, banking or personal financial records, or other sensitive categories of data);

是否处理受法律监管或保护的敏感数据(例如在数据保护法律制度、法律或法规以保护银行或个人财务记录或其他敏感类别的数据);

是否处理保密的商业信息(包括财务或会计记录);

(d) whether data of standalone value such as audio-visual content, proprietary databases, or other intellectual property will be processed; and

是否将处理具有独立价值的数据，例如视听内容、专有数据库或其他知识产权;及

(e) whether the data to be processed will likely include information that is subject to express confidentiality agreements or other relevant contractual obligations.

处理的数据是否可能包括受明示的保密协议或其他相关合同义务约束的信息。

Examples of the types of data that may require special consideration include:

可能需要特殊考虑的数据类型包括:

(a) intellectual property;

知识产权

(b) trade secrets or other commercially valuable information;

商业秘密可能需要特殊考虑的数据类型包括:

(c) health or medical information, including specially protected categories such as substance abuse treatment records and HIV/AIDS status or treatment;

健康或医疗信息，包括受特别保护的类别，如药物滥用治疗记录、艾滋病毒/艾滋病状况或治疗;

(d) other categories of sensitive personal information, including data concerning racial or ethnic origins, political opinions, sexuality, religious beliefs, trade union activity, criminal records (including sealed criminal records);

其他敏感类个人信息，包括种族或民族血统、政治观点、性取向、宗教信仰、工会活动、有无犯罪记录(包括封存的犯罪记录)等;

(e) payment card information;

支付卡信息；

(f) non-payment card financial information;

非支付卡财务信息；

(g) personal data, which is also referred to as personally identifying information (“PII”);

个人资料，亦称为个人身份信息(“个人身份信息”);

(h) information subject to a professional legal privilege, such as attorney-clientor doctor-patient privilege;

受限于专业法律特权的信息，如律师-客户或医生-患者特权;

(i) information related to or belonging to a government or governmental body (including classified data and politically sensitive information); and

关于或属于政府或政府机构的信息(包括机密数据和政治敏感信息);及

(j) information that may be detrimental or embarrassing to a natural or legal person if released.

如果发布可能对自然人或法人不利或尴尬的信息。

II. Risks Relating to the Subject Matter of the Arbitration or the Identity of Parties, Key Witnesses, Other Participants (Including Arbitral Institution and Experts)

仲裁标的或当事人、关键证人和其他仲裁参与人(包括仲裁机构和专家)身份风险

The nature of the subject matter of the arbitration or the identity of participants in the arbitration may also impact the risk profile of the arbitration. The following factors, among others, may be considered in determining the impact of these factors on information security risk:

仲裁标的性质或者仲裁参与人的身份也可能影响仲裁的风险程度。认定这些因素对信息安全风险的影响，可考虑包括但不限于以下因素:

(a) whether the matter involves a party or other participant with a history of being targeted for cyber-attacks;

该事项是否涉及有网络攻击历史的当事人或者其他参与人;

(b) whether the matter involves parties or others that handle large amounts of high value confidential commercial information and/or personal data (e.g., a law firm, bank, or health care provider);

该事项是否涉及处理大量高价值机密商业信息和/或个人资料的当事人或者其他人(如律师事务所、银行或者医疗保健机构);

是否涉及低知名度、高级别官员或主管、或名人;及

(d) whether the matter touches upon any government, government information, or government figure.

该事项是否涉及任何政府、政府信息或政府人物。

III. Other Factors Impacting the Cybersecurity Risk Profile of an Arbitration

影响仲裁的网络安全风险预测的其他因素

Other factors that may influence the cybersecurity risk profile of an arbitration include:

可能影响仲裁网络安全风险预测的其他因素包括:

(a) the industry/subject matter of the dispute;

行业/争议标的；

(b) the size and value of the dispute;

争议的规模和价值；

(c) the prevalence of cyber threats, including threats that target the industry, parties, or type of data involved in the arbitration;

网络威胁的普遍性，包括针对仲裁所涉及的行业、当事人或数据类型的威胁;

(d) whether the matter is likely to attract news or media attention or impacts public policy or matters of public interest;

该事项是否可能引起新闻媒体的关注，或影响公共政策、公共利益;

(e) the quantity of confidential or sensitive data likely to be processed in the arbitration;

仲裁中可能被处理的机密或敏感数据的数量;

(f) the security environment in which the data is stored or communicated, including network security, the security of transmission and communications in the arbitration, and the format in which the data is stored and transmitted, e.g., whether the data is encrypted, masked, or minimized;

数据存储或传输的安全环境，包括网络安全、仲裁中传输和通信安全，以及数据存储和传输的格式，例如数据是加密、隐藏还是最小化;

(g) the identity of the parties, key witnesses, any administering institution, and other individuals who may have access to the data that is processed in the arbitration; and

当事人、关键证人、管理机构以及其他可以接触到仲裁处理数据的人员的身份;

(h) the nature and frequency of events that increase the risk of breach, including transmissions of data, email or other communications that include the data, and the level of international travel likely to be required for the arbitration.

性质频率致违约风险增加和仲裁跨过差旅级别的事件，包括数据传输、电子邮件和包含数据的其他通讯方式。

IV. Consequences of a Potential Breach潜在违约的后果

The consequences of a breach should also be considered in deciding the risk profile of an arbitration, including:

在决定仲裁的风险概况时，违约的后果也应考虑，包括:

(a) risks of potential injury caused by loss of confidentiality, availability, integrity, or authenticity of the information;

丧失信息的保密性、可用性、完整性或真实性可能导致损害的风险;

(b) risks to the integrity of the arbitration process or the nature and quality of evidence in the proceeding;

对仲裁程序的完整性或程序中证据的性质和质量的风险;

(c) financial loss, loss of privacy, destruction of value from release of confidential or proprietary data, injury to reputation or privacy of natural or legal persons, exposure of confidential, secret, or proprietary data; and

财务损失、隐私丧失、保密或专有数据公布带来的价值破坏、对自然人或法人声誉或隐私的损害、保密、秘密或专有数据的披露;及

(d) in addition to considering the potential impact of a breach on the tribunal, parties, and administering institution, consideration should be given to the potential impact on persons outside of the arbitration process, including but not limited to the persons to whom personal data relates. An information breach suffered by one participant may cause injury to other participants or to third parties.

除考虑违约对仲裁庭、当事人及管理机构的潜在影响外，还需考虑对仲裁程序之外的人员的潜在影响，包括但不限于与个人资料相关的人员。一个参与者的信息被泄露，可能对其他参与者或者第三方造成损害。