First, determine the scoring object and grade.
Determine objectives: Determine which information systems need to be graded, usually the key business systems within the enterprise or the important service systems of government departments.
Preliminary determination of level: according to the business nature, scale, complexity and possible security threats of the information system, the security protection level of the system is initially determined.
Expert review and competent department audit: invite industry experts to review the preliminarily determined grades to ensure the accuracy and rationality of the grades. If the system classification involves the superior department, it needs to be reviewed and approved by the superior department.
Second, prepare the filing materials and submit them
Prepare filing materials: including organization code certificate, legal person business license, safety policy and system documents, evaluation forms and reports of enterprises and institutions, etc. All materials must be true, accurate and complete, and be named and submitted as required.
Submit filing application: users submit filing materials to local public security departments at or above the municipal level. After receiving the application, the public security department will generally complete the review and issue a record certificate within 1-2 weeks.
Third, the system security assessment and rectification
Assess the security status of the system: conduct a comprehensive security assessment of the system through vulnerability scanning and penetration testing to identify existing security risks and vulnerabilities.
Formulate rectification plan: according to the evaluation results, formulate a detailed rectification plan, and define the rectification objectives, measures, timetable and responsible person.
Implementation of rectification: according to the rectification plan, the system shall be strengthened and repaired. After the rectification is completed, the rectification shall be reported to the public security organ for the record.
Four, select evaluation institutions and conduct comprehensive evaluation.
Arrange evaluation institutions: The public security organs will arrange evaluation institutions with relevant qualifications to conduct on-site evaluation of the system.
Comprehensive evaluation: The evaluation organization will conduct a comprehensive inspection and test on the physical security, network security and application security of the system, and record and report the security problems found.
Submit the evaluation report: the evaluation institution shall prepare the evaluation report according to the evaluation results, and summarize the safety level, evaluation results and rectification suggestions of the system.
Verb (abbreviation of verb) obtains insurance filing certificate.
According to the evaluation report and filing materials, the public security organ issues the filing certificate of equal insurance to complete the whole evaluation process of equal insurance.
Matters needing attention about intransitive verbs
Select qualified and experienced evaluation institutions: ensure the professionalism and accuracy of the evaluation work.
Abide by the relevant national laws, regulations, policies and standards: ensure the compliance of the evaluation work.
Record the evaluation process in detail, including all steps, problems found, measures taken and suggestions for follow-up and improvement.
Protect customers' data security and privacy: prevent information leakage.
Please note that the above procedures are for reference only, and the specific procedures may be different due to the actual situation and policy changes. If necessary, it is recommended to consult local public security organs or qualified assessment agencies to obtain the latest information.