VAP_Auditee_Introduction_6Nov09

RBA Validated Audit Program (VAP)Operations ManualRevision 6.0.0– January 2018 Organizations working with and in the Responsible Business Alliance (RBA) are working to improve sustainability and social responsibility within the global supply chain.These companies recognize a mutual responsibility to ensure working conditions are safe, workers are treated with respect and dignity, and that manufacturing practices are environmentally responsible. The Validated Audit Program (VAP) is a collaborative approach to auditing to reduce the burden on supply chain companies from multiple requests for social audits. The VAP meets the need for a high quality, consistent and cost-effective standard industry assessment for labor, ethics, health, safety and environmental practices based on the RBA code of conduct, laws, and regulations.For more information about the Validated Audit Program (VAP), please contact: •RBA Email: vap@•RBA Address: Suite 330, 1737 King Street, Alexandria VA 22314, USA•RBA Website: © 2017 Responsible Business Alliance. All Rights Reserved. No part of these materials may be reproduced or transmitted in any form or by any means, electronic or mechanical, including but not limited to photocopy, recording or any other information storage or retrieval system known now or in the future, without the express written permission of the Responsible Business Alliance, Incorporated. The unauthorized reproduction or distribution of this copyrighted work is illegal and may result in civil or criminal penalties under the U.S. Copyright Act and applicable copyright laws.1.G ENERAL N OTESThis Appendix outlines requirements or AC for site observation, document review, management knowledge and understanding and worker awareness and understanding for each of the RBA Code provisions as described in the most current VAP OM. These are termed Conformance Requirements in this Appendix.All of the Conformance Requirements must be met for the Auditors to conclude Conformance for that AC.The appendix provides also additional clarification, definitions, details and examples. These are termed Additional Assistance. Additional assistance is guidance and assistance to the Conformance Requirements but do not form in themselves a requirement of conformance.Additionally, this Appendix provides guidance for rating non-conformance for each of the AC.The following notes apply for all provisions herein:•When there is a discrepancy between the RBA code, local law, a participant’s policies or a Collective Bargaining Agreement, the RBA defines conformance to the RBA code as meeting the strictest requirements (even if it meets RBA code provisions and legal requirements).• A legal non-conformance is a Major non-conformance unless otherwise stated in a specific provision (e.g. A3.1 if situation of Auditee is below 60h/w but above local law for ≤40% of the workers) or there is another finding which has a higher non-conformance rating for that provision •For the purpose of rating, an element is defined as any listed Conformance Requirement.•All communications from Auditee to workers must be done in a language the worker can understand unless otherwise stated in the provisions. If this is not the case, then the relevant aspect is at minimum a ‘Major’ non-conformance.•All AC apply to all workers, including temporary, migrant, student and contract, directly and indirectly employed workers that work in the factory/on production/in warehouse and any other type of worker/employee unless the AC specifically states a narrower focus group.•Unless otherwise noted, references to percentage of workers in conformance or non-conformance are based upon the defined sample.• A process is not required to be in writing as per ISO (unless the AC states specifically it must be documented), however all processes must be verifiably implemented in a consistent way•“Supplier” in this section shall mean “Next Tier Major Supplier”. This is different to ‘supplier” which can be any supplier to the facility.RBA VAP Operations Manual v6.0.0 Strictly internal to RBA for RBA Audits only 32.A.L ABORA1) Freely Chosen EmploymentForced, bonded (including debt bondage) or indentured labor; involuntary or exploitative prison labor; slavery or trafficking of persons shall not to be used. This includes transporting, harboring, recruiting, transferring or receiving persons by means of threat, force, coercion, abduction or fraud for labor or services. There shall be no unreasonable restrictions on workers’ freedom of movement in the facility in addition to unreasonable restrictions on entering or exiting company-provided facilities. As part of the hiring process, workers must be provided with a written employment agreement in their native language that contains a description of terms and conditions of employment prior to the worker departing from his or her country of origin and there shall be no substitution or change(s) allowed in the employment agreement upon arrival in the receiving country unless these changes are made to meet local law and provide equal or better terms. All work must be voluntary and workers shall be free to leave work at any time or terminate their employment. Employers and agents may not hold or otherwise destroy, conceal, confiscate or deny access by employees to employees’ identity or immigration documents, such as government-issued identification, passports or work permits, unless such holdings are required by law. Workers shall not be required to pay employers’ or agents’ recruitment fees or other related fees for their employment. If any such fees are found to have been paid by workers, such fees shall be repaid to the worker.RBA VAP Operations Manual v6.0.0 Strictly internal to RBA for RBA Audits only4A1.1 Any type of forced, involuntary or exploitative prison, indentured, bonded (including debt bondage), trafficked or slave labor is not used Conformance Requirements:Site Observations Record ReviewNot applicable 1)Voluntary worka)Personnel files and working hour record/wages do not show anyform of non-voluntary labor2)Feesa)All Fees and penalties are disclosed to the workers.b)Records on Fees are maintained and disclosed to the workerc)Fees are not permitted under any circumstances.d)Any Fees are required to be returned to the worker within 90 daysof discovery.3)Loansa)Personal loans have a repayment maximum of 10 percent of theworker’s monthly gross base wage, including interest, for no morethan 6 monthly installments.b)Education loan repayments do not exceed 10% of one year ofgross base wages. Any education loan cannot be longer than 1year per loan.Additional assistance:Site Observations Record ReviewNot applicable 1)Voluntary worka)examples of non-voluntary work: Lack of workers’ consent towork, unlawful retention of wages or benefits, work through anyform of servitude (e.g. negotiation of visa, housing, work inexchange for training), security guards (armed or unarmed) keepworkforce under retention2) Feesa)Payroll, wage and other records reviewed show no prohibitedfees, excessive fees, significant debt, and/or significant loansexcept those acceptable fees listed in Appendix 133)Fees are defined in Appendix 13. If a fee is not specifically listed inAppendix 13 or does not fit any of the example categories, foreignmigrant workers shall not be required to pay anything that a ‘Localworker would not be required to pay.RBA VAP Operations Manual v6.0.0 Strictly internal to RBA for RBA Audits only5RBA VAP Operations Manual v6.0.0 Strictly internal to RBA for RBA Audits only 6Rating: Scenario 1 - Prohibited recruitment and hiring fees that were paid and not reimbursed within 90 days, or as soon as practicable upon discovery.Frequency \ Severity in monthly gross base wages<100% (<1 month gross base salary) >100%-150% (> 1 month – 1.5 month gross base salary) >150% (> 1.5 month gross base salary) <1% or 3 workers or fewer (whichever is greater)Minor Major Priority >1%-5% or more than 3 workers but less than 7 workersMajor Major Priority >5%-40% or more than 7 workersMajor PriorityPriority >40% Priority Priority PriorityScenario 2 - For findings other than prohibited recruitment and hiring fees paid were not reimbursed within 90 days, or as soon as practicable upon discovery:PriorityMajor Minor Not Applicable One or more of the following is true:1. Penalty to leave without reasonable notice is >3months of gross base wages2. Workers restricted from voluntary employmenttermination or penalized in other ways when givingreasonable notice.3. A Priority item in A1.3, A1.4 or A1.54. Non-voluntary labor is present (other than scenariosabove or Major nonconformance)One or more of the following is true: 1. Termination notice period more than the stricter of 1 month or law 2. Penalty to leave without reasonable notice is >60% of 1 month of gross base wages (about 2-3 weeks) 3. Historic non-voluntary labor was present in last 12 months (situation was removed AND system was not updated) Not Applicable Not Applicable Remote Verification Acceptable: NONOTE: A1 provisions are linked as per the below diagram.A1.2 Adequate and effective policy and procedures are established ensuring that any form of forced, bonded, involuntary or exploitative prison, trafficked or slave labor is not used.Conformance RequirementsSite Observations Record ReviewNot applicable 1)Policiesa)Adequate and effective policies and procedures are in placei)To ensure that no forced, bonded, involuntary orexploitative prison, trafficked or slave labor is usedii)Stating that workers are not required to pay fees, ExcessiveFees, deposits or incur debt as part of the employmentiii)Stating that when employment has been terminatedvoluntarily or involuntarily, worker will be paid appropriateamounts for all hours worked.b)An implemented procedure to determine the specific amount ofany fees and expenses paid by each individual foreign workerprior to commencement of work.2)Monitoringa)Method of monitoring of conformance with policy, monitoringreports and corrective actions are available for reviewAdditional assistance:Site Observations Record ReviewNot applicable 1)Policiesa)This is applicable for direct and indirect employment workers.b)Scope of policies and procedures is during recruiting, hiring andemployment.c)Stating that workers are not required to pay either as one-time orinstallment payments, collected directly or through wagedeductions.2)Any non-conformance that is related to worker employmentconditions should still be reported within their appropriatesubsection elsewhere (e.g. if wages are delayed, benefits not paid,then report in A4).RBA VAP Operations Manual v6.0.0 Strictly internal to RBA for RBA Audits only7Rating:Priority Major Minor Not ApplicableNot applicable One or more of the following is true:1.No policy or procedure (must include recruitmentand hiring practices, termination and otherfees/deposits/debt)2.No monitoring of program effectiveness3.Trafficked or slave labor prohibition requirementsare not in contracts with Labor Agents andContractors4.No contracts are in place between the Auditee andLabor Agents and Contractors5.Any priority in A1.1 One or more of the following is true:1.Policy and procedures are in place for recruitmentbut one of the implementation components ismissing (e.g., monitoring, correction) in either directworkers or those employed by Labor Agents andContractors2.Monitoring of program effectiveness is in place butcorrective actions on findings are open/not in placeNot applicableRemote Verification Acceptable: NORBA VAP Operations Manual v6.0.0 Strictly internal to RBA for RBA Audits only8A1.3 Terms of contract are provided in writing and in their native language prior to employment (in case of migrant workers, before they leave their home country/region and no substitution or change(s) was made in the employment agreement upon arrival in the receiving country unless these changes are made to meet local law and provide equal or better terms) of the key employment terms and conditions via employment letter/agreement/contract and explained verbally in their native language so workers understand what the contract states.Conformance Requirements:Site Observations Record ReviewNot applicable 1)Local workersa)Workers are informed prior to employment of the keyemployment terms and conditions either verbally or in writing viacontract in their native language.b)Contracts state that workers can resign without penalty2)Migrant workers:a)Workers are informed prior to employment and leaving theirhome country of the key employment terms and conditions eitherverbally or in writing via contract in their native language.b)Contracts state that workers can resign without penaltyc)No substitution or change(s) allowed in the employmentagreement upon arrival in the receiving country unless thesechanges are made to meet local law and provide equal or bettertermsd)Contracts comply with ILO conventions on Migrant Workers3)Verbal explanation to workers of the key components of theemployment conditions in a language they can understand:a)Nature of workb)Working hours, Days off and holidaysc)Leave entitlementsd)Benefits (housing, transportation, uniforms, ...)e)What fees the worker will be charged and the amount(s)f)Wages and wage deductions (including all components of socialinsurance) and how these are calculated.g)Other non-legally required benefits provided (pension,insurances, ...)RBA VAP Operations Manual v6.0.0 Strictly internal to RBA for RBA Audits only9Additional assistance:Site Observations Record ReviewNot applicable 1)Local workersa)Contract = employment letter/agreement /contractb)Penalty = no threat of punishment, fines, violence, or withholdingwages)c)Any contract changes are declared and follow good practicecommunication/negotiation with workerd)Defined worker groups (e.g. student, intern, dispatch, etc.) incompliance with legal and/or customer requirements2)Migrant workers:a)Contract = employment letter/agreement /contractb)Penalty = threat of repatriation, threat of punishment, fines,violence, or withholding wages).c)Any contract changes are declared and follow good practicecommunication/negotiation with worker3) A priority rating on this finding also requires a priority rating forA1.1Rating:Priority Major Minor Not ApplicableOne or more of the following is true:1.Contract substitution for materially worse conditions(e.g. lower wages, different production facility,undisclosed fees for housing, food, etc.)2.No contract or conditions communicated prior toemployment (before leaving home in case of migrant worker)3.Contracts contain language to limit the workers’ability to voluntarily terminate their employment One or more of the following is true:1.No contract or contract not in native language orcontract not delivered prior to departure (in case ofmigrant workers) BUT conditions werecommunicated before work began (before leavinghome in case of migrant worker)2.Contract or conditions communicated wereincomplete (missing one or more elements)3.Defined worker group mix (e.g. student, intern,dispatch, etc.) exceeds legal limits by >5%One or more of the following is true:1.Contracts are provided but are incomplete (e.g.missing terms or conditions)2.Defined worker group mix (e.g. student, intern,dispatch, etc.) exceeds legal limits by >1% but≤5%.Contracts are not legally required.Remote Verification Acceptable: NORBA VAP Operations Manual v6.0.0 Strictly internal to RBA for RBA Audits only10A1.4 Upon hiring, the worker’s government issued identification and personal documentation originals are not held by employer/Labor Agent or Contractor (if applicable)Conformance Requirements:Site Observations Record Review1)Workers can demonstrate where personaldocuments are kept.2)Workers maintain possession or control overtheir identity documents 1)Policya)Adequate and effective policies and procedures is in place statingno government issued identification or personal documentsoriginals are held or stored.2)Worker possessiona)Worker files contain no workers' personal documentationoriginalsAdditional assistance:Site Observations Record Review1)Policy/Proceduresa)Auditee may request, where permitted, copies of the originaldocuments).2)Worker possessiona)Workers' personal documentation originals: e.g. passport; workvisa/permit; citizenship, residence, identification, socialinsurance cards/documents; birth certificate; bank documents; ...).b)In some countries, the local law requires employers to holdforeign workers’ personal documents. In those cases:i)Procedures are in place for safe keeping of only thosepersonal documents required by law.ii)Personal documents must not be tampered with or damagedin any way.iii)Worker must have access to those documents within 12hours of requesting them.iv)In no case shall there be a fee for the safe keeping ofgovernment-issued identification, passports or workpermits.3) A priority rating on this finding also requires a priority rating forA1.1Rating:Priority Major Minor Not Applicable1.Any original personal documents are destroyed,concealed, confiscated, involuntarily held or access is denied when requested. One or more of the following is true:1.Original personal documents are kept2.There is no policy for document safekeeping and/orworker access to their documents when the lawrequires holding original documents3.For workers in any form ofcompany/agent/contractor provided livingaccommodations, access to personal secure storageis inhibited in >5% of cases.One or more of the following is true:1.When the law requires holding original-documents,a safe keeping policy and procedures are in place butworkers cannot access their documents within 12hours.2.For workers in any form ofcompany/agent/contractor provided livingaccommodations, access to personal secure storageis inhibited in ≤5% of cases.Not ApplicableRemote Verification Acceptable: NOA1.5 There are no unreasonable restrictions on the movement of workers and their access to basic liberties Conformance Requirements:Site Observations Record Review1)If workers reside on site (dormitory), accessto the dormitory is open or there are nounreasonable restrictions through procedureor undue security guard restrictions, onworker’s ability to leave the facilityincluding during workers' rest time.2)Workers move freely when needed to accessbasic liberties.3)Workers are free to leave the Auditeelocation or dormitory when not engaged inwork.4)There are no systems for restriction in placesuch as toilet passes. 1)Policya)Adequate and effective policies and procedures on freedom ofmovement are in place.2)Recordsa)Entry and leave records (if applicable) show no restriction inmovementAdditional assistance:Site Observations Record Review1)Freedom to enter and leave site does notapply to prison labor 1)Recordsa)Entry and leave records e.g. toilets, drinking water, externalmedical facilities, factory/dormitory exit and entry.2) A priority rating on this finding also requires a priority rating forA1.1Rating:Priority Major Minor Not ApplicableOne or more of the following is true:1.Any situation that is putting workers at a health orsafety risk (e.g. locking in factory or dorm).2.Workers are restricted from movement throughthreat of firing, reporting to authorities or similarly severe threat. One or more of the following is true:1.Workers are restricted from movement throughthreat or penalty (but not a threat of firing, reportingto authorities or similarly severe threat), even if apolicy is in place.One or more of the following is true:1.No policy or procedures are in place on freedom ofmovement but there are no restrictions on freedomof movement.2.Non-coercive restrictions systems/procedures areused (e.g. toilet passes)Not ApplicableRemote Verification Acceptable: NOA2) Young WorkersChild labor is not to be used in any stage of manufacturing. The term “child” refers to any person under the age of 15, or under the age for completing compulsory education, or under the minimum age for employment in the country, whichever is greatest. The use of legitimate workplace learning programs, which comply with all laws and regulations, is supported. Workers under the age of 18 (Young Workers) shall not perform work that is likely to jeopardize their health or safety of young workers, including night shifts and overtime. Participant shall ensure proper management of student workers through proper maintenance of student records, rigorous due diligence of educational partners, and protection of students’ rights in accordance with applicable law and regulations. Participant shall provide appropriate support and training to all student workers. In the absence of local law, the wage rate for student workers, interns and apprentices shall be at least the same wage rate as other entry-level workers performing equal or similar tasks.A2.1 Workers are not below the minimum age Conformance Requirements:Site Observations Record Review1)No workers on site appear to be under theminimum age. 1)Recordsa)Personnel file sample shows all workers are above minimum ageor above company policy minimum age (whichever is greater)Additional assistance:Site Observations Record Review1)Recordsa)The worker roster shows all workers are above minimum age orabove company policy minimum age (whichever is greater)2)Auditors need to ensure that sample covers all types ofworkers/employees.Rating:Priority Major Minor Not Applicable1.Confirmed underage workers are present at thefacility or were present at the facility in the last sixmonths One or more of the following is true:1.No policy or training on policy in place but nounderage workers present2.Two or more of the minimum requirementelements is missing or ineffective1.One of the minimum requirement elements ismissing or ineffective, or a system element is notadequately documented or is prohibitedNot ApplicableRemote Verification Acceptable: NOA2.2 An adequate and effective policy and process is established to ensure that workers below the legal minimum working age are not hired either directly or indirectly via labor agencies/contractors.Conformance Requirements:Site Observations Record ReviewNot applicable 1)Policya)Adequate and effective child labor prohibition policies andprocedures are in placeb)There is an adequate process in place to verify the reliability ofage documents. Age verification must include visual verificationof a government recognized photographic identificationdocument.c)There is a reliable ID verification system to control the workers'access into the facilityd)Auditee does not refuse the worker's job application after the“child” worker's age meets legal requirements.2)Underage assistancea)There is a procedure to assist underage children found workingfor the Auditee that is designed to provide for the welfare of thechildAdditional assistance:Site Observations Record Review1)Policya)Inspect and cross-reference to verify the validity at least two typesof official ID*b)Reliable ID verification system to control the workers' access intothe facility e.g. finger printing or ID card with owner'sphotograph to prevent under-age workers entering the facility byusing another person's IDc)ID types for verification and cross-referencei)Matching photographic ID to worker’s faceii)Verification through third-party resources where available,such as Internet resources or local government officesiii)Birth certificateiv)Government-issued personal identification cardv)Driver’s licensevi)Voting registration cardvii)“Official stamped” copy of a school certificateviii)Affidavit from local government representativeix)Foreign national work permit or other governmentrecognized document.2)Underage assistance includesa)Health exam and appropriate action if necessaryb)Completion of compulsory schoolingc)Maintaining the child's income until legally eligible to workd)When they exist, and are acceptable by law, to move underageworkers into proper apprenticeship positions, restricting theirhours and type of work to accommodate educational needs, asrequired, rather than discharging or fining of these workers.Rating:Priority Major Minor Not Applicable1.Child or underage workers are hired directly orindirectly through a labor agent/contractor One or more of the following is true:1.No formal policy and process in place AND noproof-of-age documentation2.If A2.1 Priority then default Major Non-conformance for inadequate process1.Formal policy in place, however, the process isincomplete or proof-of-age documentation ismissingNot ApplicableRemote Verification Acceptable: NOA2.3 Workers under the age of 18 are not allowed to perform work that is likely to jeopardize the health or safety of these young workers, including night work or overtime.Conformance Requirements:Site Observations Record Review1.No workers under 18 are performing jobs thatare hazardous 1)Policya)Adequate and effective young worker policies and procedures arein placeb)Implementation mechanisms are clearly defined and implementedincluding:i)Health checks if required by lawii)Clear risk evaluationiii)Restriction on hours worked and time of day workediv)Identification and assignment of young workers to non-hazardous positionsv)Young workers are not allowed night work or overtime2)Recordsa)The implementation mechanisms are reflected in personnel files,medical files and work time records.Additional assistance:Site Observations Record Review1)Policya)Night work: Night work for young workers may be definedspecifically by local law though generally means any consecutiveperiod of at least 7 hours between 10 PM and 7 AMb)Immediate containment, (i.e. re-assignment, putting on to dayshift only …not termination) is required in Priority and Majorfindings regarding young workers2)Recordsa)The analysis 100% of Young Worker working hours, overtime,days of rest are to be noted here in A2.Rating:Priority Major Minor Not ApplicableOne or more of the following is true:1.Young workers are doing hazardous work2.Young workers are working overtime3.Young workers are doing night work One or more of the following is true:1.No policy2.Two or more of the minimum requirementelements is missing or ineffective1.One of the minimum requirement elements ismissing or ineffective, or a system element is notadequately documented or is prohibited1.Policy and implementation mechanisms are inplace AND No workers under age 18 on site.Remote Verification Acceptable: NO。

vpa审核检查表VPA审核检查表一、概述VPA（Virtual Personal Assistant）是一种虚拟个人助理技术，通过智能语音识别和人工智能技术，能够理解和执行用户的语音指令，提供各种服务和帮助。

VPA审核检查表是用于评估VPA系统是否符合相关要求和标准的工具，本文将从功能性、可用性、安全性等方面介绍VPA审核检查表的内容。

二、功能性1. 语音识别准确性- VPA能否准确识别用户的语音指令，尤其是在复杂的语音环境下；- VPA能否正确地理解用户的意图，并提供合适的回应。

2. 功能覆盖范围- VPA是否具备常见的个人助理功能，例如发送短信、查询天气、播放音乐等；- VPA是否支持与第三方应用集成，提供更广泛的功能。

3. 多语言支持- VPA是否能够识别和处理多种语言；- VPA是否能够提供多种语言的回应和服务。

三、可用性1. 用户界面友好性- VPA的用户界面是否简洁明了，易于操作；- VPA的回应是否清晰明确，便于用户理解。

2. 响应速度- VPA能否在用户发出指令后迅速响应，避免用户等待过长时间； - VPA的回应速度是否与用户的网络连接质量有关。

3. 交互体验- VPA是否能够持续学习用户的喜好和习惯，提供个性化的服务； - VPA是否能够自动纠正识别错误，避免用户重复指令。

四、安全性1. 用户隐私保护- VPA是否能够保护用户的隐私信息，不泄露给第三方；- VPA是否提供用户对个人数据的控制和管理功能。

2. 安全认证- VPA是否通过相关认证，确保系统的安全性和可靠性；- VPA是否有防止恶意攻击和滥用的机制。

3. 数据备份与恢复- VPA是否能够定期备份用户数据，避免数据丢失；- VPA是否能够在系统故障或意外情况下及时恢复用户数据。

五、其他因素1. 设备兼容性- VPA是否能够在不同的设备上运行，例如智能手机、智能音箱等；- VPA是否能够适应不同设备的屏幕尺寸和操作方式。

RBA验证审计计划VAP操作手册1. 引言本文档旨在提供有关RBA（Risk-Based Authentication，基于风险的身份验证）验证审计计划VAP（Verification, Audit, and Performance，验证、审计和性能）操作手册的详细信息。

RBA验证审计计划VAP是一个用于评估身份验证系统的框架，可帮助组织识别和管理风险，从而提高系统的安全性和性能。

2. 审计计划概述RBA验证审计计划VAP是一个综合性的项目，其主要目标是评估身份验证系统的有效性、可靠性和遵循性。

该计划包括以下几个主要步骤：2.1 身份验证系统配置审计在这个步骤中，将对身份验证系统的配置进行审计，以确保系统被正确地配置以满足安全要求。

审计包括检查系统的认证策略、访问控制设置和密码策略等方面。

2.2 身份验证日志审计身份验证日志是评估身份验证系统效果和可能存在的潜在风险的重要依据。

在该步骤中，将对身份验证日志进行详细审计，以识别任何异常活动、未经授权访问等问题。

2.3 性能评估性能评估将测试身份验证系统在正常和峰值负载下的性能。

评估将包括压力测试、响应时间测试和负载平衡测试等方面，以确保系统能够处理高负荷并保持良好的性能。

2.4 有效性和遵循性测试在此步骤中，将进行有效性和遵循性测试，以评估身份验证系统是否符合相关法规和标准要求。

测试将包括风险评估、安全性扫描和合规性检查等方面。

3. 操作手册3.1 审计计划准备在执行RBA验证审计计划VAP之前，需要进行适当的准备工作，包括以下步骤：•确定审计目标和范围：明确审计的目标和所涵盖的范围，以便能够有针对性地进行审计工作。

•确定审计标准和准则：制定审计的标准和准则，以便对身份验证系统进行准确的评估。

•分配审计团队：指定责任人和组成审计团队，并确保团队成员具备相应的技能和经验。

•确定审计工具和技术：选择适当的审计工具和技术，以便能够高效地执行审计计划。

3.2 执行审计计划在执行审计计划期间，需要按照以下步骤进行操作：1.收集和分析相关文档和资料：收集和分析与身份验证系统相关的文档和资料，包括配置文件、日志和审计报告等。

8Administrator's Manual ContentsVersion 7.6 3 One Voice Operations Center Table of Contents1 Introduction (7)1.1About this Guide ..................................................................................................... 7 1.2About the Agent ...................................................................................................... 7 1.3Benefits .................................................................................................................. 7 1.4 Security (8)1.4.1 Managing Devices within the Same Network as OVOC .......................................... 8 1.4.2 Managing Devices behind a NAT ........................................................................... 9 1.4.3 Sending Actions from OVOC to Devices behind a NAT, via Agent (10)2 Setting up Device Manager Agents ................................................................. 13 2.1 Enabling Device Manager to Support Agents . (13)2.2 Installing a Device Agent (13)2.3 Configuring a Device Agent .................................................................................. 14 2.4Configuring a Tenant ............................................................................................ 15 3Monitoring Device Manager Agents (17)IP Phone Manager Pro and ExpressAdministrator's Manual 4Document #: LTRT-91200 List of FiguresFigure 1-1: Managing Devices within the Same Network as OVOC ..................................................... 8 Figure 1-2: Managing Devices behind a NAT ...................................................................................... 9 Figure 1-3: Sending Actions from OVOC to Devices behind a NAT, Using Manager Agent ................ 10 Figure 1-4: Device Manager Key ....................................................................................................... 10 Figure 2-1: Enabling Manager Device to Support Agents ................................................................... 13 Figure 2-2: Agent’s Web Interface ..................................................................................................... 14 Figure 2-3: Tenant Configuration ....................................................................................................... 15 Figure 3-1: Monitoring Device Manager Agents (17)Administrator's Manual NoticesVersion 7.6 5 One Voice Operations Center NoticeInformation contained in this document is believed to be accurate and reliable at the time of printing. However, due to ongoing product improvements and revisions, AudioCodes cannot guarantee accuracy of printed material after the Date Published nor can it accept responsibility for errors or omissions. Updates to this document can be downloaded from https:///library/technical-documents .This document is subject to change without notice.Date Published: March-24-2019WEEE EU DirectivePursuant to the WEEE EU Directive, electronic and electrical waste must not be disposed of with unsorted waste. Please contact your local recycling authority for disposal of this product. Customer SupportCustomer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner. For more information on how to buy technical support for AudioCodes products and for contact information, please visit our website at https:///services-support/maintenance-and-support .Stay in the Loop with AudioCodesDocumentation FeedbackAudioCodes continually strives to produce high quality documentation. If you have any comments (suggestions or errors) regarding this document, please fill out the Documentation Feedback form on our Web site at /documentation-feedback .IP Phone Manager Pro and ExpressAdministrator's Manual 6Document #: LTRT-91200 Abbreviations and TerminologyEach abbreviation, unless widely used, is spelled out in full when first used.Related DocumentationDocument Revision RecordAdministrator's Manual 1. Introduction Version 7.6 7 One Voice Operations Center1Introduction 1.1 About this GuideThis guide shows how to install and configure the Device Manager Agent software application in order to manage devices located behind a NAT | Firewall from the OVOC.1.2 About the AgentThe Device Manager Agent is software that can run on a Windows machine, downloadable from AudioCodes website. The Agent is installed on a specific host by the network administrator using an msi file. The host machine must use one of the following operating systems:⏹Windows 10 ⏹Windows server 2012 ⏹ Windows server 2016The Agent is configured with the OVOC’s FQDN or IP address. The Agent is also configured with the OVOC tenants related to it. The Agent is configured with a key, used to authenticate the Agent in the OVOC. After the Agent is configured and running, it sends a message to the OVOC at < 60 second intervals to check if there are actions for the devices under it. If there are, the Agent fetches an action list from the OVOC and performs the actions one by one on each device. The action list is:⏹Check status ⏹Update firmware ⏹Reset phone ⏹Update configuration ⏹ Send messageThe Agent is stateless, i.e., it does not know if the action was successful or not.1.3 BenefitsThe Device Manager Agent enables network administrators using the OVOC to manage devices located behind a NAT | Firewall in a local enterprise network, from a global cloud network.The Agent application allows the OVOC to send actions directly to devices.Deployed on an enterprise’s premises, the Agent opens a communications channel with the OVOC located in the global cloud network. The OVOC is then able to send commands to devices in the local network.The OVOC consequently allows⏹Internet Telephony Service Providers (ITSPs) to remotely manage devices in enterprise customer networks, through cloud services ⏹Software as a Service (SaaS) by a centralized hosting business ⏹ Enterprise network administrators to manage devices located within their own networkIP Phone Manager Pro and ExpressAdministrator's Manual 8Document #: LTRT-91200 1.4 SecurityThe connection between the OVOC and the Agent is secured using HTTPS over port 443. The Agent can operate with the devices using HTTPS as well.1.4.1 Managing Devices within the Same Network as OVOCThe OVOC allows enterprise network administrators to manage devices located within their own network, viz., the on-premises solution.⏹Devices send a keep-alive message to the OVOC once every hour ⏹The keep-alive timeout can be reduced per the number of the devices in the network ⏹ Actions are sent interactively from the OVOC to the devicesFigure 1-1: Managing Devices within the Same Network as OVOCAdministrator's Manual 1. Introduction1.4.2 Managing Devices behind a NAT⏹Devices send a keep-alive message to the OVOC once every hour⏹The keep-alive timeout can be reduced per the number of the devices in the network⏹The OVOC can’t send actions to devices; devices send a configuration file (which caninclude actions) downloaded from the OVOC once a day (configurable).Figure 1-2: Managing Devices behind a NATVersion 7.6 9 One Voice Operations CenterIP Phone Manager Pro and ExpressAdministrator's Manual 10Document #: LTRT-91200 1.4.3 Sending Actions from OVOC to Devices behind a NAT, via Agent⏹Devices send a keep-alive message to the OVOC once every hour ⏹The keep-alive timeout can be reduced per the number of the devices in the network ⏹ Actions are sent interactively from the OVOC to the devices, communicating via aNAT pinhole created by the Agent. The Agent checks for new actions for devices related to it, in the OVOC. If actions are present, the Agent performs them on the devices.Figure 1-3: Sending Actions from OVOC to Devices behind a NAT, Using Manager AgentThe OVOC determines per tenant if devices are behind a NAT and if an Agent is installed. The Device Manager has its own unique key to ensure that only authenticated Agents can access the application. The key is displayed in the ‘Devices Agents Configuration’ page of the Device Manager.Figure 1-4: Device Manager KeyAdministrator's Manual 1. IntroductionVersion 7.6 11 One Voice Operations CenterThe network administrator must configure this key on the Agent, using the Agent’s Web Interface (see under Section 2.3 for detailed information). This must be done for Agent authentication purposes.Each tenant operating with an Agent aggregates the actions of all devices under it. An Agent can handle more than one tenant.When a network administrator performs an action in the OVOC on a specific device or list of devices, a message pops up indicating that the action was sent to the device and the status of the device will be updated in a few minutes.Actions are stateless; after the Agent receives the list of actions, it’s deleted from the OVOC. Actions are not reliable; the network administrator can only determine if an action was performed by viewing the device status and device alarms.IP Phone Manager Pro and ExpressAdministrator's Manual 12Document #: LTRT-91200This page is intentionally left blank.Administrator's Manual 2. Setting up Device Manager AgentsVersion 7.613One Voice Operations Center2Setting up Device Manager AgentsBefore installing and configuring the Device Manager Agent, the Device Manager must be enabled to support Agents as shown in the next section.2.1Enabling Device Manager to Support AgentsThe network administrator can enable support for the Agent in the Device Manager.To enable support for the Agent:1. In the Device Manager, open the Devices Agents Configuration page (Setup > System> Device Agents ). 2. Drag the Enable Manager Device Agents slider to the ‘on’ position.Figure 2-1: Enabling Manager Device to Support Agents3. Click Save ; the Device Manager now supports Agents.4. Make sure that the iconis displayed in the uppermost right corner of the DeviceManager GUI.5. If it isn’t displayed, log out and log in again.2.2 Installing a Device AgentBefore installing the Device Manager Agent software application, make sure you have a clean Windows server ⏹ with at least two cores for every 300 devices ⏹ inside the NAT network (mandatory) ⏹ able to reach all devices (mandatory)To download the installation:1. Click2. Go to your Windows server and install it.IP Phone Manager Pro and ExpressAdministrator's Manual 14Document #: LTRT-912002.3 Configuring a Device AgentAfter installing the Device Manager Agent software application on the desktop, view the following icon displayed:To configure a Device Agent:1. Click the icon shown above which is displayed after installing the Device Manager Agentsoftware application on the desktop; the Agent’s Web Interface page opens.Figure 2-2: Agent’s Web Interface2. Enter the OVOC’s IP Address/FQDN.3. In the ‘Manager Service Key’ field, enter the key. Obtain it from its field displayed in the‘Devices Agents Configuration’ page in the Device Manager (Setup > System > Device Agents ) (see Figure 1-4). 4. Enter a tenant name (you can set more than one tenant using the + icon) 5. Click Save Parameters .Administrator's Manual 2. Setting up Device Manager AgentsVersion 7.6 15 One Voice Operations Center2.4 Configuring a TenantDevices can send all their traffic directly to the OVOC or through an Agent. For devices to send their traffic through an Agent (recommended), you need to perform configuration at the tenant level. The tenants are the same tenants you configure in the Agent. To configure a tenant:⏹In the Device Manager, open the Tenant Configuration page (Setup > Devices Configuration > Tenant Configuration ).Figure 2-3: Tenant ConfigurationTo configure keep-alive traffic to be sent via the Agent:ems_server/provisioning/url http://AGENT_IPTo configure configuration files traffic to be sent via the Agent:provisioning/configuration/url http://AGENT_IP/configfilesTo configure firmware files traffic to be sent via the Agent:provisioning/firmware/url http://AGENT_IP/firmwarefiles/%ITCS_FirmwareFile%IP Phone Manager Pro and ExpressAdministrator's Manual 16Document #: LTRT-91200This page is intentionally left blank.Administrator's Manual 3. Monitoring Device Manager AgentsVersion 7.6 17 One Voice Operations Center3 Monitoring Device Manager AgentsThe Device Manager allows network administrators to view a list of Device Manager Agents registered to the deployment as well as view the last action each Agent performed for its devices.To monitor Agents:1. In the Device Agents Configuration page, click thebutton orthe icondisplayed in the uppermost right corner. Figure 3-1: Monitoring Device Manager Agents2. View in the Devices Agents Status page that opens (shown in the preceding figure):• the names of the Agents registered in the deployment• the names of the Tenants under which Agents are registered • the date and time each Agent was registered • the last action each Agent performed for its devicesInternational Headquarters AudioCodes Inc.1 Hayarden Street, 200 Cottontail Lane,Airport City Suite A101E, Somerset, NJ 08873Lod 7019900, Israel Tel: +1-732-469-0880Tel: +972-3-976-4000 Fax: +1-732-469-2298Fax: +972-3-976-4040Contact us: https:///corporate/offices-worldwideWebsite: © 2019 AudioCodes Ltd. All rights reserved. AudioCodes, AC, HD VoIP, HD VoIP Sounds Better, IPmedia, Mediant, MediaPack, What’s Inside Matters, OSN, SmartTAP, User Management Pack, VMAS, VoIPerfect, VoIPerfectHD, Your Gateway To VoIP, 3GX, VocaNom, AudioCodes One Voice and CloudBond are trademarks or registered trademarks of AudioCodes Limited. All other products or trademarks are property of their respective owners. Product specifications are subject to change without notice.Document #: LTRT-91200。

AADvance培训⼿册中⽂版系统培训⼿册操作系统构建配置编程排除故障维护AADvance可编程控制器指南1.5版本2012年5⽉2AADvance System Training Manual, version 1.5注意The content of this document is confidential to ICS Triplex and their partners. This document contains proprietary information that is protected by copyright. All rights are reserved. No part of this documentation may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording, for any purpose, without the express written permission of ICS Triplex.该⽂件内容对于ICS Triplex和他们的合作⽅均是机密的。

本⽂档包含有受版权保护的专有信息，公司保留其所有权。

没有ICS Triplex明确的书⾯许可，本⽂档的任何部分都不允许以任何电⼦或机械的形式或⽅式被复制和传播，包括复印和记录。

The information contained in this document is subject to change without notice. The reader should, in all cases, consult ICS Triplex to determine whether any such changes have been made.本⽂档所包含信息可以随时更改，不另⾏通知。

代码审计教材
代码审计教材有很多，以下是一些经典的教材：
1. 《C Primer Plus(第6版)》- Stephen Prata：这本书是一个非常受欢迎的代码审计教材，适合零基础的学习者。

它以简洁明了的方式介绍了C语言的基础知识和编程技巧。

2. 《代码审计：从基础到实践》：这本书系统地介绍了代码审计的基础知识和实践技巧，包括代码审计的方法、工具、技巧和案例等。

3. 《黑客攻防技术宝典：Web实战篇》：这本书主要介绍了Web应用程序的攻防技术，包括常见的漏洞和攻击手段，以及如何进行有效的代码审计和防御。

4. 《代码审计实战教程》：这本书是一本较为系统的代码审计教材，从基础到实践，详细介绍了代码审计的流程、方法、技巧和工具等。

5. 《软件安全与代码审计》：这本书主要介绍了软件安全和代码审计的基本概念、方法和技术，包括常见的安全漏洞和攻击手段，以及如何进行有效的代码审计和防御。

以上教材可以作为参考，选择一本适合自己的教材，结合实际项目进行学习与实践，才能更好地掌握代码审计的技术。

深度学习题集一、选择题1. 下列关于神经网络基础的说法中，正确的是（）A. 神经网络是一种基于规则的机器学习方法。

B. 神经网络只能处理线性可分的问题。

C. 神经网络通过调整神经元之间的连接权重来学习数据中的模式。

D. 神经网络的训练过程不需要大量的数据。

答案：C。

神经网络是一种基于数据的机器学习方法，它可以处理线性不可分的问题，并且需要大量的数据进行训练。

通过调整神经元之间的连接权重，神经网络能够学习到数据中的复杂模式。

2. 在深度学习中，神经网络的层数越多，性能一定越好吗？（）A. 是，层数越多表示模型越复杂，性能必然更好。

B. 不一定，层数过多可能会导致过拟合等问题。

C. 否，层数多会降低计算效率，性能反而变差。

D. 取决于数据集的大小，数据集大则层数多性能好。

答案：B。

虽然增加神经网络的层数可以增加模型的表达能力，但层数过多可能会导致过拟合、计算资源需求增加、训练困难等问题，所以神经网络的层数并非越多性能就一定越好。

3. 激活函数在神经网络中的主要作用是什么？（）A. 增加神经网络的复杂度。

B. 提高神经网络的计算速度。

C. 引入非线性，使神经网络能够学习复杂的函数。

D. 减少神经网络的参数数量。

答案：C。

激活函数的主要作用是引入非线性，使得神经网络能够学习和表示复杂的函数关系。

如果没有激活函数，神经网络将只能学习线性函数，无法处理复杂的现实问题。

4. 下列哪个激活函数在输入为负数时输出为零？（）A. Sigmoid 函数。

B. Tanh 函数。

C. ReLU 函数。

D. Softmax 函数。

答案：C。

ReLU（Rectified Linear Unit）函数在输入为负数时输出为零，在输入为正数时输出等于输入。

Sigmoid 函数和Tanh 函数在输入为负数时输出不为零，Softmax 函数主要用于多分类问题，不是在输入为负数时输出为零的函数。

5. 对于深度神经网络，以下哪种说法是正确的？（）A. 深度神经网络的训练时间与网络层数成正比。

修订版6.0.0 - 2018年1月在负责任商业联盟（RBA）正致力于改善全球供应链的可持续性和社会责任。

这些公司承认相互责任，以确保工作条件安全，工人得到尊重和尊严对待，并且制造实践对环境负责。

验证审计计划（VAP）是一种协作式审计方法，旨在减少供应链公司因多次社会审计请求而产生的负担。

VAP满足了对基于RBA行为准则，法律和法规的劳动，道德，健康，安全和环境实践进行高质量，一致且符合成本效益的标准行业评估的需求。

1.一般注意事项本附录概述了现场观察，文件审查，管理知识和理解以及工人对最新VAP OM中所述的每个RBA规则条款的了解和理解的要求或AC。

这些在本附录中被称为一致性要求。

审核员必须符合所有一致性要求才能达成该AC的一致性。

附录还提供了额外的说明，定义，细节和例子。

这些被称为额外援助。

额外的协助是对一致性要求的指导和帮助，但是它们本身不构成一致性要求。

此外，本附录提供了对每个AC评定不合格情况的指导。

以下说明适用于此处的所有规定：∙当RBA，当地法律，参与者政策或集体谈判协议之间存在差异时，RBA将符合RBA的规定定义为符合最严格的要求（即使其符合RBA规定和法律要求）。

除非特定条款另有规定，否则法定不合格是主要不合格（例如，A3.1，如果受审核方的情况低于60小时/ w，但高于当地法律规定为≤40％的工人），或有另一项调查结果对该条款有较高的不合格评级为了评级，元素被定义为任何列出的一致性要求。

∙从受审计方到工人的所有通信都必须使用工人能够理解的语言完成，除非在规定中另有说明。

如果情况并非如此，那么相关方面至少是“重大”不合格。

所有的AC适用于所有工人，包括临时工，移民工，学生和合同工，在工厂/生产/仓库和其他任何类型的工人/员工中工作的直接和间接从业人员，除非AC特别指出狭义焦点小组。

除非另有说明，否则对符合性或不合格性工作人员百分比的提及均基于所定义的样本。

一个流程不需要按照ISO书面形式（除非特别说明AC必须记录），但是所有流程必须以一致的方式可验证地实施∙本节中的“供应商”是指“下一级主要供应商”。

Application guideSecurity control with AXIS Device Manager Version 1.3Last updated: June 1, 20231.Introduction 3 1.1Three layers of cybersecurity protection 3 1.2Purpose of this document 31.3About AXIS Device Manager 32.Device inventory 43.Account and password policy 54.Firmware upgrades 65.Additional hardening 76.Certificate Authority Service 77.Certificate lifecycle management 88.Conclusion 101.IntroductionThe importance of cybersecurity continues to increase in the surveillance and security sectors.Effective cybersecurity demands ensuring depth of defense to properly protect your IP networkat every level – from the products you choose and the partners you work with to therequirements they – and you – set.1.1Three layers of cybersecurity protectionWe deliver three layers of cybersecurity protection:1.Security management: requires applying the security controls you need to mitigate thethreats you face. It can be divided in two parts: security controls and cost-effectivemanagement. Security controls are safeguards or countermeasures employed to avoid, detect,counteract, or minimize security risks to physical property, information, computer systems orother assets.2.Vulnerability management: encompasses everything Axis does to apply cybersecurity bestpractices in the design, development and testing of our products to minimize the risk of flawsthat could be exploited. When vulnerabilities are discovered, we manage them; we fix criticalvulnerabilities promptly and we issue security advisories.3.Learning and collaboration: is about Axis, you and the partners involved in your IP networkgaining and sharing a clear and common understanding of the threats you face, their potentialimpacts and how to protect your network.1.2Purpose of this documentThis application guide describes how AXIS Device Manager can be used to harden your systemand increase security. It focuses on key aspects and describes recommendations.1.3About AXIS Device ManagerAXIS Device Manager is an on-premise tool that delivers an easy, cost-effective and secureway to manage all major installation, security and maintenance device management tasks(see table below). It is suitable for managing up to a couple thousand Axis devices on one site— or several thousand devices on multiple sites. AXIS Device Manager enables you toefficiently deploy cybersecurity controls to protect your network devices and align them to asecurity infrastructure.1Active Directory Certificate Services not currently supported; validated for FreeRADIUS running on Linux34 Figure 1. Multi-site management FirmwareAXIS Device ManagerFigure 2. Firmware upgradeFigure 3. Certificate management2. Device inventoryA fundamental aspect of ensuring the security of an enterprise network is maintaining a complete inventory of the devices on it. When creating or reviewing an overall security policy, it is important to have knowledge and clear documentation about each device and not just critical assets. That is because any single overlooked device can be a means of entry for attackers. You can’t protect devices which youoverlook or are not fully aware of.AXIS Device ManagerDevice inventory represents an essential step in securing an enterprise network. AXIS Device Manager helps you as it:>Lets you easily access a current, complete inventory of your network devices when working with audits and incident responders>Provides a complete list of your devices; sort by: total number, type, model numbers, etc.>Gives you status of each device on your networkAXIS Device Manager provides a clear view of your inventory of devices.RecommendationsAXIS Device Manager provides an automated means to gain access to a real-time inventory of Axis network devices. It lets you automatically identify, list and sort your devices. As important, it lets you use tags so that you can group and sort devices based on your own criteria. This makes it easy to gain an overview of and document all Axis devices on your network.3.Account and password policyAuthentication and privilege control is an important part of protecting network resources. Implementing policy helps reduce the risk of accidental or deliberate misuse over a longer period of time. A key part is to reduce the risk of compromised passwords. Strong passwords are important. However, device passwords can spread within an organization. When they do, you lose control over who may access them. AXIS Device Manager helps you easily manage multiple accounts and passwords for Axis devices.Why you should have more than one user account in devices>You control privilege levels for different user types (machines and humans)>You reduce risk of compromising the root (master) password>You can reset credentials for one user type without impacting other usersWorking with privileges in AXIS Device ManagerIn AXIS Device Manager, Axis devices can support multiple accounts and belong to three different privileges levels: viewer, operator and administrator. Here is how privileges can be managed for Axis network cameras.Users with viewer privileges may access video and control PTZ. Those with operator rights may optimize camera settings and video stream profiles. Administrators can administrate accounts, modify networksettings and control a number of services in the device. Each role accessing the camera should have itsown account.5Recommended steps to follow>Before adding cameras to the VMS it is recommended to add the cameras to AXIS Device Manager.>In AXIS Device Manager, select all cameras and create a new user account called “vms” or similar and set a strong password. The privileges need to align with the requirements of the VMS, this may be either operator or administrator (check with manufacturer).>Add the devices to the VMS with the “vms” account and the password you defined>Go back to AXIS Device Manager and select all cameras again and reset (change) the “root” account password with a new strong password. The “root” account password should only be known to a limited number of individuals (those who use AXIS Device Manager).>When someone within the organization needs to use a web browser to access a device for maintenance or troubleshooting tasks, do not give them the root password. Use AXIS Device Manager to create a new (temporary) account for selected device(s) with either administrator or operator privileges. When their task is complete, use AXIS Device Manager to remove the temporary account.>AXIS Device Manager supports local administrators as well as domain users and groups. You can usea local administrator if the AXIS Device Manager client will only be accessed from the same machinehosting the AXIS Device Manager server. It is recommended to use domain users if the person maintaining the system will use remote clients.Changing user roles and passwords in AXIS Device Manager.4.Firmware upgradesLatest firmware versions include patches for known vulnerabilities. It is essential to always use the latest software because attackers may try to exploit any known vulnerabilities. As important, rapid deployment of new firmware boosts operational capabilities and removes bottlenecks related to manually rolling out new release upgrades. AXIS Device Manager connects to and downloads the latest applicable firmware or service releases. If you prefer to not download directly to your network from the internet, you can save upgrades to an USB stick and then upload them to your AXIS Device Manager client. It also shows if new firmware are available and lets you quickly deploy them on Axis devices.Why you should always run the latest firmware versions>Your network and devices are protected with the latest patches against known vulnerabilities, especially critical ones>Your devices are updated for the latest performance improvements as well as resolve any known bugs or flaws>You gain immediate access to the latest features and functionality enhancements6Upgrading firmware with AXIS Device Manager is simplified thanks to on-screen notificationsand intuitive dialog boxes.5.Additional hardeningA good user/password policy, as well as running devices with up-to-date firmware versions, will mitigatecommon risks for devices. The Axis Hardening Guide describes additional measures to reduce risks within large and critical organizations. This includes disabling services that may not be used and enabling services that can help detect and monitor indication of an attack or breach.AXIS Device Manager simplifies the process of deploying some of these policies. Axis provides a configuration template for basic recommended settings; see more at:/support/faq//FAQ116386How to harden devices according to the Axis Hardening Guide>Download the hardening template configuration file from/files/tech_notes/harden_device_with_AXIS_Device_Manager.zip>Review the READ_ME.txt file>E dit configuration file to choose relevant items>Select devices>Right-click and select “Configure Devices | Configure…”>Click “Configuration File” and select the downloaded file>Adjust settings as needed6.Certificate Authority ServiceCertificate Authority (CA) is a service that issues digital certificates to servers, clients or users. A CA can be public or private. Publicly trusted CAs, such as Comodo and Symantec (formerly Verisign), are typically used for public services such as public web sites and email.A private CA (typically active directory/certificate service) issues certificates for internal/private networkservices. In a video management system this is primarily for Hyper Text Transfer Protocol Secure (HTTPS) (network encryption) and IEEE 802.1x (network access control). AXIS Device Manager includes a CA service for Axis devices and can operate as either a private root CA or private intermediate CA; part of an enterprise Public Key Infrastructure (PKI). 7CA-signed certificates are used for both IEEE 802.1x (client) and HTTPS (server) certificates.8HTTPSHTTPS is the secure version of HTTP over which communications between a client and a server are encrypted. Self-signed certificates are sufficient to achieve an encrypted connection. There is no difference in the encryption level between self-signed and CA-signed certificates. The difference is that self-signed certificates do not protect against network spoofing, where an attacking computer tries to impersonate a legitimate server. CA-signed certificates add a trust point for clients to authenticate that it is accessing a trusted device. Note that the video client (VMS) needs to support requesting video over HTTPS (RTP over RTSP over HTTPS) in order to encrypt video.IEEE 802.1XReferred to as 802.1X, this standard prevents unauthorized network devices from accessing the local network. A device needs to authenticate itself before it is allowed access to the network (and its resources). There are different authentication methods that can be used, such as: MAC address (MAC filtering), user/password or client certificate. The system owner decides which method to use; the appropriate choice depends on threats, risk, and cost.Operating an 802.1X infrastructure is an investment. It requires managed switches and additional servers, typically a RADIUS (Remote Authentication Dial-In User Service). Using client certificates requires a CA (private or public) that can issue client certificates. In most cases the infrastructure needs personnel to maintain and monitor it.Certificate configuration in AXIS Device Manager.7. Certificate lifecycle managementCertificate lifecycle management is a means of cost-efficiently handling all processes and tasks related to issuing, installing, inspecting, remediating and renewing certificates over a long period of time. AXIS Device Manager enables you to efficiently manage certificates by allowing administrators to:>Issue CA-signed certificates when no other CA is available >Easily manage IEEE 802.1X certificates >Easily manage HTTPS certificates >Monitor certificate expiration dates >Easily renew certificates prior to expiration9 Recommendations of private root and intermediate CAIt is not recommended to expose Axis devices as public servers targeting the public. That’s why using a public CA for private resources is not cost-effective.For HTTPS, the VMS server is the only client that needs to validate it is accessing a trusted camera. Operator clients will never access the cameras directly as live and recorded video is provided by the VMS server. In this situation there is limited value to incorporate camera server certificates in an existing enterprise PKI.Using AXIS Device Manager as a private CA is the most cost-effective solution. After a root CA certificate is generated, install the AXIS Device Manager certificate in the VMS server’s certificate store. If there are other clients accessing cameras directly (for maintenance or troubleshooting), install the AXIS Device Manager root CA in these clients as well.For 802.1X, the camera needs a client certificate in order to authenticate itself to a RADIUS server. It is recommended to have the administrator for the Enterprise PKI/CA generate an Intermediate CA certificate and export this as a PKCS#12 (P12) certificate that can be installed in AXIS Device Manager.For support in setting up a FreeRADIUS server, please go to the Technical papers tab at / products/axis-device-manager/support-and-documentation.Figure 5 Figure 4, managing HTTPS certificates involves:1) generating intermediate or root CA certificate in AXIS Device Manager; 2) exportingCA certificate to the VMS, and 3) uploading server certificates to the devices.Figure 5, using a Private CA: Managing IEEE 802.1X certificates involves: 1) generatingintermediate CA and client certificate; 2) installing CA certificate on the Radius server; 3)importing CA certificate in AXIS Device Manager and 4) uploading CA and clientcertificates to the devices.10Figure 6Figure 6, using AXIS Device Manager as a CA: To manage IEEE 802.1X certificates: 1) generate the root CA certificate in AXIS Device Manager; 2) import the authentication CA certificate in AXIS Device Manager; 3) install the CA certificate on the Radius server; 4) upload the CA authentication and client certificates to the devices.8. ConclusionSecurity management and security control are important parts of implementing an effective cybersecurity approach. Each is a continuous process that demands maintaining clear status and following proper actions to mitigate any potential threat that may impact your IP network. AXIS Device Manager offers you a tool to both manage your devices as well as increase the security of your network. Contact your local Axis representative or go to for more information or support.Axis enables a smarter and safer world by creating network solutions that provide insights for improving security and new ways of doing business. As the industry leader in network video, Axisoffers products and services for video surveillance and analytics, access control, and audio systems. Axis has more than 3,000 dedicated employees in over 50 countries and collaborateswith partners worldwide to deliver customer solutions. Founded in 1984, Axis is a Sweden-based company listed on the NASDAQ Stockholm under the ticker AXIS.For more information about Axis, please visit our website .©2018 Axis Communications AB. AXIS COMMUNICATIONS, AXIS, ETRAX, ARTPEC and VAPIX are registered trademarks or trademark applications of Axis AB in various jurisdictions. All other company names and products are trademarks or registered trademarks of their respective companies. We reserve the right to introduce modifications without notice.。

与以下单位联合制作：中航陕西飞机工业（集团）有限公司中国陕西省汉中市ENOVIA VPM使用手册[V5R18]编制：日期：2011年9月17日版本：1.0状态：签署页签署页记录了本文档的设计、校对、审核，以及批准等人员和时间信息。

签字后文档即正式生效。

目录签署页 (1)目录 (2)1ENOVIA VPM的简介 (4)1.1概述 (4)1.2VPM系统的优点 (4)2人员组织系统 (5)2.1人员组织的建设 (5)2.1.1人员组织结构 (5)2.1.2结构定义的对象 (6)2.1.3人员组织结构的建立 (7)2.2安全管理 (12)2.2.1安全管理的对象 (12)2.2.2功能访问的控制：授权 (13)2.2.3对象访问的控制：遮罩 (13)2.2.4安全管理的建立 (13)2.2.5用户权限的分析 (15)2.3在操作系统中建立用户 (15)3登陆ENOVIA VPM系统 (20)3.1启动客户端 (20)3.2登录系统 (20)3.3进入LCA主界面 (21)4产品结构管理 (22)4.1建立产品 (22)4.1.1创建PRC (22)4.1.2创建GCO (25)4.1.3创建顶图 (29)4.2传送权限 (33)4.3在新的PRC下复制GCO (35)4.4删除产品 (39)4.4.1删除原则 (39)4.4.2操作步骤 (39)4.5锁机制 (49)4.5.1引入锁机制的目的 (49)4.5.2锁机制的使用范围 (49)4.5.3锁机制的作用 (49)5内容管理 (50)5.1创建新文档 (50)5.2将文档插入指定的节点 (54)5.2.1将数据库中的文档插入指定节点 (54)5.2.2将本地的文档插入指定节点 (56)6成熟度管理 (59)6.1成熟度管理的技术手段 (59)6.2成熟度管理示例 (59)6.2.1为对象类型定义生命周期状态图 (59)6.2.2定义对象状态的跃迁控制方式 (60)7搜索功能的使用 (64)1ENOVIA VPM的简介1.1概述ENOVIA VPM是达索系列产品之一，它主要的适用范围包括PDM（Product Data Management）产品数据管理，以及VPDM（Virtual Product Development Management）虚拟产品开发管理。