IP protection has been one of the biggest concerns of foreign investors in China. Fortunately, the legal framework in protecting IP of foreign investors has been established in China and the Chinese government has keenly felt the significance of IP and has signed the Agreement of Trade Related Aspects of Intellectual Property Rights. Currently IP courts administered by USA legal personnel have been set up in major cities like Shanghai. Since we start involving in outsourcing business in 1998, we've increasingly recognized the importance of security to our clients. We're continuously improving detailed security plans and implementing them seriously. All outsourcing business is undertaken by a specialized division, which is relatively independent and has dedicated development room. It's pure service provider and has no interest in the IP of the clients.
1. Baosight is the model company in IP Protection in Shanghai. 2. Conformity Certification of System for Information Security in China which is comparable to ISO 17799 3. Physical security protection measures in place including but not limited to, CCTV camera covering doorways, separate workspaces with security badge access levels, high security (biometric) locks on server rooms, secured phones, secured printers, secured faxes, separate LANs, disabled computers that unable to insert USB or other third party devices, firewalls, anti-intrusion detection and offsite backup. 4. Our security measures can be tailored for specific clients including different binding confidential agreement. 5. The Process Management Dept. conduct periodical security audit and make improvement suggestions. 6. Different clients have independent workshop. 7. QHSE, ISMS. 8. ISO27000 in 2007
1. Access Control of Persons In order to prevent unauthorized persons from gaining access to the data processing equipment where the data transferred by our clients are processed, appropriate means are adopted, such as (but not limited to): a. Establishing secure premises; b. Protecting and restricting access paths; c. Securing the decentralized data processing equipment and personal computers; d. Establishing access authorizations for employees and third parties, including the respective documentation; e. Identifying persons having access authority; f. Regulating card key access g. Restricting keys; h. Managing and controlling use of codes and passes; i. Maintaining visitors books; j. Using time recording equipment; k. Providing security alarm system or other appropriate security measures.
2. Data Media Control In order to prevent the unauthorized manipulation of the media containing personal data of the clients, appropriate means are adopted, such as (but not limited to): a. Designating the physically secure areas in which data media may / must be located; b. Designating the persons in such areas who are authorized to manipulate data media; c. Controlling the manipulation of data media; d. Securing the areas in which data media are located; e. Releasing data media only to authorized persons; f. Controlling files, controlling and documenting destruction of data media; g. Enforcing policies that control the creation of back-up copies.
3. Data Memory Control In order to prevent unauthorized input into the data memory and the unauthorized reading, alteration or deletion of the stored data on the clients, appropriate means are adopted, such as (but not limited to): a. Authorizing and enforcing a policy for the input of data into memory, as well as for the reading, alteration and deletion of stored data; b. Authenticating authorized personnel; c. Providing protective measures for the data input into memory, as well as for the reading, alteration and deletion of the authorized personnel; d. Utilising user codes (passwords); e. Using encryption for critical security files and restricted data; f. Specifying access rules for procedures, control cards, process control methods, program cataloging authorization; g. Enforcing guidelines for data file organization; h. Keeping records of data file use; i. Separating production and test environments for libraries and data files; j. Providing entries to data processing facilities that are capable of being locked; k. Automatically timing out user ID`s that have not been used for 30 days. l. Providing audit trails of unauthorized attempts to access data memory. m. Controlling any program change with source to source compare.
4. User Control In order to prevent its data processing systems from being used by unauthorized persons by means of data transmission equipment, appropriate means are adopted, such as (but not limited to): a. Identifying the terminal and/or the terminal user to the DP system; b. Automatically turning-off the user ID when several erroneous passwords are entered, log file of events (monitoring of break-in-attempts); c. Issuing and safeguarding of identification codes; d. Dedicating individual terminals and/or terminal users, identification characteristic users exclusive to specific functions; e. Evaluating records and audit trails.
5. Personnel Control Upon request, we can provide the clients with a list of the employees entrusted with processing the personal data transferred by the clients, together with a description of their access rights.
6. Access Control to Data We commit that the persons entitled to use the clients' data processing system are only able to access the data within the scope and to the extent covered by their respective access permission (authorization). Measures adopted includes but not limited to: a. Allocating individual terminals and / or terminal user, and identification characteristics of Data Importer; b. Controlling functional and / or time-restricted use of terminals and / or terminal users, and identification characteristics of Data Importer; c. Using function authorization codes (direct access, batch processing) to limit persons being given access to work areas; d. Electronically verifying authorization; e. Evaluating records and audit trails.
7. Transmission Control In order to enable the verification and tracing of the locations / destinations to which the clients' data are transferred by utilization of our data communication equipment / devices, appropriate means are adopted, such as (but not limited to): a. Documenting retrieval and transmission programs; b. Documenting remote locations / destinations to which a transmission is intended, and of the transmission paths (logical paths).
8. Input Control We have retrospective ability to review and determine the time and the point of the clients' data entry into our data processing system. Means include but not limited to: a. Using proof established within our organization; b. Electronically recording entries.
9. Instructional Control The clients' data transferred may only be processed in accordance with provisions of the clients and govern all aspects of the processing transactions. Means include but not limited to: a. Using binding policies and procedures for our employees, subject to clients' prior approval of such procedures and policies; b. Upon request, granting access to the clients who are responsible for monitoring our compliance with these Clauses.
10. Organisation Control An internal organization is maintained to meet clients' security requirements. a. Developing internal policies and procedures, guidelines, work instructions, process descriptions, and regulations for Risk assessment, programming, testing, and release, insofar as they relate to data transferred by the clients; Formulation of and compliance to a data security concept whose content has been reconciled with the clients. b. Adopting industry standard system and program examinations; c. Formulating a Continuity of Business plan (back-up contingency plan); d. Exercising due diligence over the sustained integrity of the clients' data.
Shanghai Baosight Software Co., Ltd.
Copyright @1998-2011 BAOSIGHT Coperation. All Rights Reserved