BACKGROUND: As an internationally renowned cosmetics company, Esufei Skin Care Products needs to get through the membership systems in mainland China and Hong Kong to realize the synchronization of membership information and points. Demand analysis: the system is deployed in mainland China, and members register through APP and offline stores. Registered members need to use their membership points and coupons simultaneously in Hong Kong and mainland China. According to the business development assessment, cross-border declaration of personal information is required.

Deliverables and outputs: reconstruction of privacy policy and preparation of individual consent form. Personal information protection impact assessment report PIA and rectification suggestions. Application materials for cross-border transmission of personal information submitted to Shanghai Netcom Office. Notice of consent to leave the country for filing issued by Shanghai Netcom Office (No.003, the third enterprise in Shanghai to file through personal information).

Service content: modify its privacy policy structure and establish a privacy policy based on "individual consent" according to the requirements of Article 39 of the Personal Information Protection Law. Personal information protection impact assessment (PIA) was conducted in accordance with the requirements and procedures of the Guidelines for the Filing of Personal Information Exit Standard Contracts. Prepare and submit the application materials and obtain the filing certificate.

Background: shuyun is a platform service provider that provides customer relationship management system, and the brand uses the platform of shuyun to provide service and care for consumer members. Demand analysis: shuyun needs to prove to the brand that its platform has sufficient information security capability and is capable of complying with relevant requirements for personal information protection.

Deliverables and outputs: risk management outputs based on information assets and personal information: information assets risk assessment report and personal information impact assessment report (PIA). Information and Personal Information Management System system and implementation process system file set. ISO/IEC27001 and ISO/IEC27018 management system certificates issued by British Standards Institute (BSI).

Service content: Establish a sustainable and auditable information security management system based on ISO/IEC27001. Personal Information Management System based on cloud service providers is established according to ISO/IEC27018 (Personal Information Protection Management System of Public Cloud). Obtain certificates from international authoritative certification bodies on the two systems, so as to demonstrate their capabilities on information security and personal information protection.

Background: Banks have a large amount of personal financial information, and they are required by the CBRC for information security supervision, so it is necessary to meet compliance and establish strict security protection measures. Demand analysis: It meets the compliance requirements of the Notice on Guidelines for Data Governance of Banking Financial Institutions, and establishes a data security management system according to the requirements of various standards. Obtain data security-related certification to prove its compliance.

Deliverables and outputs: the report on benchmarking, dismantling and safety target assessment in document No.22 [2018] of Yinbao Jianfa. JR/T0171—2020 Benchmarking Disassembly, Safety Objectives and Assessment Report. GB/T37988 data security capability maturity evaluation report and rectification. GB/T37988 Data Security Capability Maturity Level 3 Evaluation Certificate issued by China Institute of Information and Communication Technology.

Service content: The compliance requirements of the Notice of the Bank of China Insurance Regulatory Commission on Printing and Distributing the Guidelines on Data Governance of Banking Financial Institutions (YJB [2018] No.22) are benchmarked. The Technical Specification for the Protection of Personal Financial Information (Data) (JR/T0171—2020) requires benchmarking and classification of personal financial data. Obtain data security-related certification and prove your data security protection ability.

Background: Banks have a large amount of personal financial information, and they are required by the CBRC for information security supervision, so it is necessary to meet compliance and establish strict security protection measures. Demand analysis: It meets the compliance requirements of the Notice on Guidelines for Data Governance of Banking Financial Institutions, and establishes a data security management system according to the requirements of various standards. Obtain data security-related certification to prove its compliance.

Deliverables and outputs: the report on benchmarking, dismantling and safety target assessment in document No.22 [2018] of Yinbao Jianfa. JR/T0171—2020 Benchmarking Disassembly, Safety Objectives and Assessment Report. GB/T37988 data security capability maturity evaluation report and rectification. GB/T37988 Data Security Capability Maturity Level 3 Evaluation Certificate issued by China Institute of Information and Communication Technology.

Service content: The compliance requirements of the Notice of the Bank of China Insurance Regulatory Commission on Printing and Distributing the Guidelines on Data Governance of Banking Financial Institutions (YJB [2018] No.22) are benchmarked. The Technical Specification for the Protection of Personal Financial Information (Data) (JR/T0171—2020) requires benchmarking and classification of personal financial data. Obtain data security-related certification and prove your data security protection ability.

Background: There are a lot of personal information in the insurance industry, and it is required by the information security supervision of the China Insurance Regulatory Commission, so it is necessary to meet the compliance and establish strict security protection measures. Demand analysis: In line with the compliance requirements of the Notice of China Banking and Insurance Regulatory Commission, China on Printing and Distributing the Measures for the Safety Management of Regulatory Data (for Trial Implementation), establish a data safety management system. Obtain data security-related certification to prove its compliance.

Deliverables and outputs: the report on the dismantlement of the benchmark and the evaluation of safety objectives in document No.43 [2020] issued by Yinbao Supervision. ISO/IEC27001 risk assessment report and management system documents. ISO/IEC27001 management system certificate issued by British Standards Institute (BSI).

Service content: compliance requirements of the Notice of China Banking and Insurance Regulatory Commission, China on Printing and Distributing the Measures for the Safety Management of Regulatory Data (for Trial Implementation) No.43 [2020] issued by Yin Bao Jian Fa. ISO/IEC27001 information security management system construction. Obtain information security-related certification and prove your information security protection ability.

Background: SAIC-GM-Wuling, as an automobile manufacturer, has automobile R&D and design materials, as well as personal information of owners of new energy subsidies delivered by 4S. Demand analysis: meet the compliance requirements of the Personal Information Protection Law and protect the personal information of car owners. Classify internal data and formulate different types of data protection systems. Conduct risk assessment on 15 major core business systems.

Deliverables and outputs: 15 sets of business process evaluation reports of core business systems, including penetration test reports and APP compliance reports. Classification management system of data assets and classification table of data assets. Evaluation report on information security capability of cloud service providers and rectification suggestions.

Service content: Conduct technical and business process risk assessment for 15 systems including Linglingtong, Junke Marketing and Customer Management. Establish a data classification system for research and development data and personal information, and classify data assets. Evaluate and review the security capabilities of cloud platform service providers on which important business systems depend, and ensure the effectiveness of providing security capabilities in accordance with SLA agreements.

Background: As a chip R&D and production enterprise, SMIC needs to protect its chip R&D data and the design data of its customers' chip OEM. Demand analysis: establish a strict information security management system to protect the intellectual property rights of itself and customers, and submit compliance reports to meet the information security audit needs of customers.

Deliverables and outputs: information security management system system and implementation process system document set. Information security capability maturity gap analysis report and rectification suggestions. ISO/IEC27001 management system certificate issued by British Standards Institute (BSI). Compliance audit report required by OEM customers.

Service content: establish a set of information security management system and process system, and continue to implement it. According to the established information security management system process, evaluate its existing information security level and rectify the non-conformities. Establish relevant standards and processes according to the requirements of its OEM customers, and provide information security audit reports.

BACKGROUND: L 'Oré al China is the largest cosmetics manufacturer in the world, and it obtains a large amount of consumer membership information in the course of its business. Demand analysis: provide privacy policy and compliance evaluation of online membership system, establish a management system based on information security and personal information protection, and conduct information security requirements and audits on its suppliers.

Deliverables and outputs: risk management outputs based on personal information: personal information impact assessment report (PIA) and personal information protection management system. APP personal information test report and rectification suggestions. Supplier information security review inspection form and audit reports of three suppliers. ISO/IEC27701 Management System Certificate issued by British Standards Institute (BSI)

Service content: Establish a sustainable and auditable personal information protection management system based on ISO/IEC27701. Conduct self-assessment according to the "Self-assessment Guide for the Illegal Collection and Use of Personal Information by App" and make rectification according to the nonconformities. Establish information security audit requirements and standards for its suppliers, and conduct spot checks and audits for its suppliers.