Call Us Now !
Tel : +86 755 27374946
Order Online Now !
Email : info@bichengpcb.com
Information Security Management System of Enterprise
Document Version: V1.0
文件版本:V1.0
Prepared by: Admin & Information Security Department
编制部门:行政/信息安全部
Approved by: ____Chen Long_______
审批人:_____陈龙_______
Effective Date: ___1-MAY-2021_________
生效日期:____2021.05.01________
This system is formulated to standardize the whole-process information security management of our company’s high-frequency circuit boards (RFPCBs), including R&D, design, production, testing and delivery. It protects core information assets such as customer drawings, impedance parameters, high-frequency substrate formulas, Gerber files, BOMs, confidential customer project plans and supplier technical data. The system complies with EU GDPR and industry information security compliance requirements, prevents risks of information leakage, tampering, loss and unauthorized access, and ensures stable and continuous business operation.
为规范本公司高频电路板(RFPCB)研发、设计、生产、测试、交付全流程信息安全管理,保护客户图纸、阻抗参数、高频板材配方、Gerber文件、物料清单、客户涉密项目方案、供应商技术资料等核心数据资产,符合欧盟GDPR、行业信息安全合规要求,防范信息泄露、篡改、丢失、非法访问风险,保障业务持续稳定运行,特制定本制度。
This system applies to all employees, external processors, raw material suppliers, outsourced design service providers and visitors of the company. It covers all paper documents related to high-frequency circuit boards, electronic drawings, servers, production equipment, testing instruments, office terminals, storage media, transmission channels and physical plant areas.
本制度适用于公司全体员工、外协加工商、原材料供应商、外包设计服务商、访客;覆盖公司所有高频电路板相关纸质资料、电子图纸、服务器、生产设备、测试仪器、办公终端、存储介质、传输渠道、厂区物理区域。
1. Management: Approve information security policies, annual security objectives, allocate security resources, review supplier security agreements and approve disaster recovery budgets.管理层:审批信息安全方针、审批年度安全目标、保障安全资源投入、审核供应商安全协议、审批灾难恢复预算;
2. Information Security Administrator: Implement systems, organize security training, control access rights, handle security incidents, conduct compliance self-inspections, audit logs and manage encryption.信息安全管理员:制度落地、安全培训、权限管控、安全事件处置、合规自查、日志审计、加密管理;
3. R&D & Engineering Department: Classify confidential drawings including RF impedance, circuit stack-up structures and special substrates (TMM4/TF440/WL-CT440), encrypt drawings and control version iterations.研发/工程部:负责高频板阻抗、射频电路、叠层结构、特殊板材(TMM4/TF440/WL-CT440等)涉密图纸分级、图纸加密、版本管控;
4. Production & Quality Department: Confidential management of production equipment data, test reports, gold plating/resin plugging process parameters and customer sample data.生产/品质部:生产车间设备数据、测试报告、沉金/树脂塞孔工艺参数、客户样品数据保密管理;
5. Purchasing Department: Implement supplier information security access control, sign security clauses and conduct regular security audits on suppliers.采购部:供应商信息安全准入、合作安全条款签订、供方定期安全审核;
6. All Employees: Comply with access authority rules, keep data confidential, report security abnormalities actively and participate in security training.全体员工:遵守访问权限、做好数据保密、主动上报安全异常、参与安全培训。
The company shall compile a formal written General Information Security Policy, clarifying the protection bottom line of three major asset categories: core technical data of high-frequency circuit boards, customer commercial data and personal information. The document shall be filed uniformly, distributed to all departments for full-staff learning, and updated synchronously with version changes.公司编制正式成文《信息安全总方针》,明确高频电路板核心技术资料、客户商业数据、个人信息三大类资产保护底线,文件统一归档、发放至各部门并组织全员学习,版本更新同步公示。
At the beginning of each year, the information security administrator together with management shall formulate quantifiable annual security objectives, including zero leakage incidents of high-frequency drawings, 100% employee information security training coverage, full coverage of supplier security compliance audits and 100% closed-loop rectification of security vulnerabilities.每年年初由信息安全管理员联合管理层制定年度可量化安全目标,包含:高频图纸泄露事故零发生、员工信息安全培训覆盖率100%、供应商安全合规审核全覆盖、安全漏洞整改闭环率100%;
Quarterly verification shall be carried out to check security training records, supplier audit reports, security incident ledgers and rectification documents, and a verification report shall be submitted to management. Unqualified items shall be included in the continuous improvement plan.每季度开展目标落地验证,核对安全培训记录、供应商审核报告、安全事件台账、整改单据,形成验证报告上报管理层,未达标项纳入持续改进计划。
1. Top Secret: Exclusive RF schemes, customized customer RF Gerber files, confidential military/communication customer projects, exclusive formulas for special substrates, high-precision impedance debugging parameters and undisclosed new product R&D data.绝密级:独家高频射频方案、客户定制射频Gerber图纸、军工/通信客户涉密项目、特种板材专属配方、高精度阻抗调试参数、未公开新产品研发资料;
2. Confidential: General high-frequency board production process documents, customer mass order BOMs, test reports, gold plating/microwave circuit process standards and core supplier technical parameters.机密级:常规高频板生产工艺文件、客户批量订单BOM、测试检测报告、沉金/微波线路工艺标准、核心供应商技术参数;
3. Internal: General production specifications, public material models, external promotional product materials and non-confidential office documents.内部级:通用生产规范、公开物料型号、对外宣传产品资料、非涉密办公文件;
4. Public: Official website product introductions, public sample manuals and general exhibition materials.公开级:官网产品介绍、公开样品手册、对外展会通用资料。
1. Electronic files: Mark confidentiality level in file names for Top Secret and Confidential high-frequency drawings; store separately on encrypted servers; prohibit private copying to personal USB flash drives or mobile phones.电子文件:绝密/机密高频图纸强制命名标注密级,单独存储加密服务器,禁止私自拷贝至私人U盘、手机;
2. Paper documents: Store Top Secret materials in locked cabinets with designated custodians; double approval by department supervisor and information security administrator is required for copying or external distribution.纸质文件:绝密资料专人专柜上锁保管,复印、外发需部门负责人+信息安全管理员双重审批;
3. Transmission control: Prohibit transmission of Top Secret high-frequency board drawings via WeChat or personal emails; only encrypted corporate mails and internal encrypted systems are allowed for data exchange.传输管控:绝密级高频板图纸禁止微信、私人邮箱传输,仅允许企业加密邮件、加密内网系统交互。
Assign account authorities based on the principle of minimum access by position:按岗位最小权限分配原则设置账号权限:
1. R&D Engineers: Only view high-frequency drawings of assigned projects; no mass export or mass deletion authority.研发工程师:仅可查看本人负责项目高频图纸,无批量导出、批量删除权限;
2. Production Operators: Only access process files for current shift; no permission to download original Gerber source files.生产操作员:仅可调取当班生产工艺文件,无法下载原始Gerber源文件;
3. Administrators: Possess system operation & maintenance authority; all operations are fully logged.管理员:拥有系统运维权限,操作全程留日志;
Recover system accounts, workshop access control cards and drawing access rights on the same day of employee transfer or resignation; take back all paper drawings and private storage USB drives.人员调岗、离职当日立即回收系统账号、机房门禁、图纸查阅权限,回收全部纸质图纸、存储U盘。
The company shall establish an Information Asset Ledger to register all assets related to high-frequency circuit boards:公司建立《信息资产台账》,登记全部高频电路板相关资产:
1. Electronic assets: Drawing servers, engineering computers, PCB design software licenses, portable hard drives and storage modules of testing equipment.电子资产:图纸服务器、工程电脑、PCB设计软件授权、移动硬盘、测试设备存储模块;
2. Physical assets: Paper drawings, sample boards, test fixtures and confidential production molds.实物资产:纸质图纸、样品板、测试治具、涉密生产模具;
Conduct regular inventory of ledgers; scrap storage media shall be uniformly shredded and destroyed; lending assets shall be registered and tracked throughout the whole process.台账定期盘点,报废存储介质统一粉碎销毁,严禁随意丢弃;外借资产登记归还,全程跟踪。
1. Access control cards are required for entry to R&D drawing rooms, high-frequency precision testing workshops and server computer rooms; visitors must be accompanied by designated staff and registered.研发图纸室、高频精密测试车间、服务器机房设置门禁,仅限授权人员刷卡进入,访客需专人陪同并登记;
2. Password locks and surveillance cameras shall be installed in archives storing Top Secret high-frequency drawings; unrelated personnel are prohibited from staying alone.存放绝密高频图纸的档案室加装密码锁、监控,禁止无关人员单独逗留;
3. 24-hour video surveillance is deployed at factory entrances, R&D areas and production workshops; surveillance videos shall be retained for no less than 90 days.厂区出入口、研发区、生产车间24小时视频监控,录像留存不少于90天。
1. Password login is mandatory for all office and design computers; automatic screen lock activates after 5 minutes of inactivity.所有办公、设计电脑设置开机密码、屏幕自动锁屏(5分钟无操作锁定);
2. Two-factor authentication (account + password) applies to PCB design servers, ERP systems and drawing management systems; passwords shall be updated periodically. PCB设计服务器、ERP系统、图纸管理系统实行账号+密码双重认证,定期更换密码;
3. Prohibit transmission of confidential high-frequency circuit board customer data via personal cloud disks or private chat tools; anti-data leakage monitoring software shall be installed uniformly on all terminals.禁用私人网盘、私人聊天工具传输客户高频电路板涉密资料,终端统一安装防泄露监控软件。
1. Strict temperature & humidity control, dust-proof and anti-static measures shall be implemented in high-frequency R&D laboratories and microwave testing workshops to prevent data loss caused by equipment failures.高频研发实验室、微波测试车间做好温湿度、防尘、防静电管控,防止设备故障造成数据丢失;
2. Fire protection, moisture-proof facilities and UPS backup power supply shall be equipped in computer rooms to avoid server downtime and loss of drawing data.机房配备消防、防潮、断电备用UPS电源,避免服务器宕机丢失图纸数据;
3. Private mobile phones and shooting devices are forbidden in confidential areas; unauthorized photography or recording of high-frequency circuit board layouts and process parameters is strictly prohibited.涉密区域禁止携带私人手机、拍摄设备,严禁私自拍照、录制高频电路板线路与工艺参数。
1. Customer high-frequency circuit board project drawings, orders and test reports shall be retained for at least 5 years after project completion; confidential customer materials shall be archived permanently.客户高频电路板项目图纸、订单、测试报告:项目结束后至少留存5年,涉密客户资料永久归档;
2. Personal information of employees and suppliers shall be retained in accordance with GDPR and domestic regulatory requirements, and securely deleted upon expiry.员工、供应商个人信息按GDPR及国内法规约定留存周期,到期安全删除;
3. Expired confidential paper drawings shall be uniformly shredded; electronic files shall be deeply erased instead of simple recycle bin deletion.过期涉密纸质图纸统一粉碎,电子文件深度删除,禁止简单回收站清除。
1. Internal transmission: Use internal encrypted file systems only.对内传输:内网加密文件系统;
2. External transmission of high-frequency drawings to customers/suppliers: Encrypt attachments with extraction passwords and register transmission records.对外向客户/供应商发送高频图纸:加密附件并设置提取密码,登记传输台账;
3. Transmission of Top Secret RF layout data via public networks or unencrypted channels is prohibited.禁止通过公共网络、未加密渠道发送绝密级射频线路资料。
1. All high-frequency substrate suppliers, PCB external processing factories and outsourced design vendors shall sign Information Security Confidentiality Agreements, clarifying confidentiality liabilities and compensation clauses for leakage of high-frequency technical data.所有高频板材供应商、PCB外协加工厂、外包设计商签订《信息安全保密协议》,明确高频技术资料保密责任、泄露赔偿条款;
2. Conduct information security qualification verification for new suppliers before admission; suppliers failing verification shall not be awarded cooperation business.新供应商准入前开展信息安全资质核查,不合格不予合作;
3. Conduct an on-site information security audit on core suppliers every six months to review drawing confidentiality, access control and data storage measures.每半年对核心供应商开展一次信息安全现场审核,核查其图纸保密、访问管控、数据存储措施;
4. Upon cooperation termination, require suppliers to delete all high-frequency circuit board related data of our company and issue written confirmation.合作终止后要求供应商删除全部本公司高频电路板相关资料,并出具书面确认。
The company shall compile the High-Frequency Circuit Board Business Continuity & Disaster Recovery Plan, covering scenarios such as server hard disk damage, ransomware virus attacks on drawings, computer room power failure, factory-wide shutdown and loss of core R&D data.公司编制《高频电路板业务连续性及灾难恢复预案》,覆盖场景:服务器硬盘损坏、病毒勒索图纸、机房断电、厂区突发停工、核心研发数据丢失等。
1. Automatic off-site daily backup of all high-frequency drawing server data; backup data shall be stored in encrypted form.高频图纸服务器每日自动异地备份,备份数据加密存储;
2. Organize one disaster recovery drill every year to test drawing restoration and business resumption workflows, and update the plan accordingly.每年度组织1次灾难恢复演练,测试图纸恢复、生产业务重启流程,更新预案;
3. Establish priority handling workflows for urgent customer high-frequency orders; restore mass RF board production data first upon system failure to reduce delivery delay risks.区分紧急客户高频订单保障流程,发生系统故障时优先恢复批量射频板生产资料,降低交付延误风险。
1. In case of security incidents including drawing leakage, account theft, loss of customer high-frequency data or tampering of equipment data, relevant personnel shall report to the Information Security Administrator within 1 hour.发生图纸外泄、账号被盗、客户高频资料丢失、设备数据篡改等安全事件,当事人1小时内上报信息安全管理员;
2. The administrator shall fully record all incidents in the Security Incident Ledger, including incident time, involved high-frequency projects, impact scope, handling process and loss assessment.管理员完整记录《安全事件台账》,包含事件时间、涉及高频项目、影响范围、处置过程、损失评估;
3. Report major information security incidents to company management without delay; notify affected customers promptly and implement remedial actions.重大信息安全事件同步上报公司管理层,及时通知受影响客户并采取补救措施。
1. Conduct quarterly internal information security compliance self-inspections item by item against this system, GDPR and customer factory audit standards.每季度开展内部信息安全合规自查,对照本制度、GDPR、客户审厂标准逐项核查;
2. Key inspection items include high-frequency drawing encryption status, supplier confidentiality agreements, access logs, training records and backup validity.重点核查项:高频图纸加密情况、供应商保密协议、访问日志、培训记录、备份有效性;
3. Compile complete information security documents for annual third-party factory audits by customers, and establish rectification lists for all non-conformities identified during audits.每年配合客户第三方审厂,整理全套信息安全资料,针对核查出的不合规项建立整改清单。
1. For information security defects identified during self-inspection, customer audit or external audit, formulate corrective actions with designated responsible persons and clear deadlines.自查、客户审核、外部审计发现的信息安全缺陷,制定纠正措施,明确整改责任人、完成时限;
2. Verify and confirm rectification completion to form closed-loop records.整改完成后复核验证,形成闭环记录;
3. Update this system and optimize security control measures every year in response to new high-frequency board product processes and additional customer confidentiality requirements.每年结合高频电路板新产品工艺、新增客户保密要求更新本制度、优化安全管控措施。
1. Mandatory special information security training for all new employees, focusing on confidentiality red lines for high-frequency drawings and RF parameters; new hires can only take up posts after passing assessment.新员工入职必开展信息安全专项培训,重点讲解高频图纸、射频参数保密红线,考核通过方可上岗;
2. Organize full-staff security briefings no less than twice a year; add special anti-leakage training on PCB drawings for R&D and production teams.全体员工每年不少于2次全员安全宣讲,针对研发、生产岗位增加PCB图纸防泄露专项培训;
3. Regularly release security warning cases (drawing leakage, supplier information disclosure, penalties for unauthorized data transmission) to strengthen confidentiality awareness; training records and assessment papers shall be filed uniformly.定期发布安全警示案例(图纸泄露、供应商泄密、违规传输资料处罚案例),强化保密意识;培训记录、考核试卷统一存档。
1. Mandatory encrypted storage for Top Secret and Confidential high-frequency circuit board Gerber files, stack-up designs and impedance calculation documents.绝密、机密级高频电路板Gerber文件、叠层设计、阻抗计算文档强制加密存储;
2. Add traceable watermarks (marked with company name and project number) to all externally transmitted confidential drawings to prevent unauthorized reproduction and resale.对外发送涉密图纸使用压缩包加密、文件水印(标注公司名称、项目编号,防止外传盗用);
3. Encryption keys shall be managed uniformly by the Information Security Administrator and rotated periodically; employees are prohibited from sharing decryption passwords privately.加密密钥由信息安全管理员统一保管,密钥定期轮换,禁止员工私自共享解密密码;
4. Scrap encrypted electronic files shall be permanently erased via professional data shredding tools.废弃加密电子文件采用专业数据粉碎工具清除。
1. Automatic full logging of all administrator operations on drawing servers, ERP systems and R&D design systems.图纸服务器、ERP、研发设计系统全程自动留存管理员操作日志;
2. Log content includes login account, operation timestamp, operation details (drawing download/modification/deletion, authority change) and device IP address.日志内容包含登录账号、操作时间、操作内容(图纸下载/删除/修改、权限变更)、设备IP;
3. Logs shall be retained for no less than 1 year; the Information Security Administrator conducts monthly log audits to identify high-risk behaviors such as mass batch downloads and unauthorized off-hours logins.日志自动留存不少于1年,信息安全管理员每月审计日志,排查异常批量下载、夜间违规登录等高风险行为;
4. Logs cannot be deleted or tampered privately and serve as core evidence for tracing security incidents.日志禁止私自删除、篡改,作为安全事件追溯核心凭证。
1. Employees who strictly comply with this system and discover major security hazards to avoid high-frequency data leakage shall receive performance bonuses.严格遵守本制度、主动发现重大安全隐患避免高频资料泄露的员工,给予绩效奖励;
2. Disciplinary liability shall be imposed on any acts including unauthorized external transmission of high-frequency circuit board drawings, private storage of confidential process files, unauthorized access to customer projects or disclosure of confidential supplier parameters. Any behavior causing customer losses or commercial leakage shall trigger economic compensation liability; serious violations will result in termination of employment with the right to pursue legal liability reserved.存在私自外传高频电路板图纸、私存涉密工艺文件、越权访问客户项目、泄露供应商涉密参数等行为,按公司制度追责;造成客户损失、商业泄密的,追究经济赔偿,情节严重解除劳动关系并保留法律追责权利。
1. This system shall be interpreted and revised by the Information Security Administrator.本制度由信息安全管理员负责解释、修订;
2. This system shall take effect upon issuance; all prior relevant security management provisions shall be repealed simultaneously.本制度自发布之日起执行,原有相关安全管理规定同时废止;
3. All departments shall organize full-staff study of this document and retain training attendance records for inspection.各部门组织全员学习本文件,留存培训签到记录备查。
© Copyright: 2026 Shenzhen Bicheng Electronics Technology Co., Ltd.. All Rights Reserved.
IPv6 network supported