To consolidate bank data security, it is necessary to "plan first, plan before action". The first task is to establish the action outline for management work, and establish a system guarantee system to implement the outline, followed by specific action measures and daily inspections and monitoring. From the perspective of the practice path of bank data security construction, I think it can be summed up by the twelve words "review the status quo, formulate the general outline, establish detailed rules, and implement actions".
——Wang Jinsong, General Manager of Information Technology Department of Dongtai Rural Commercial Bank
With the increasing trend of data security upgrades, an action to strengthen data security capabilities has been fully rolled out in banks.
Jiangsu Dongtai Rural Commercial Bank and Meichuang Technology have joined hands to fully explore the direction of data security governance, coordinate the establishment of a data security management system and process specification requirements for all business posts, give full play to the role of internal supervision and management, and achieve the goal of guaranteeing business development and The balance between data security, the project has won the "2022 Financial Industry Information Security Construction Outstanding Contribution Award".
Recently, Shushi Consulting and Wang Jinsong, general manager of the Information Technology Department of Dongtai Rural Commercial Bank, started a dialogue on "data security".
The following is the transcript of the conversation:
Q1: It is imperative for my country to strengthen data compliance supervision, especially in the financial industry. For two consecutive years, the China Banking and Insurance Regulatory Commission has listed data security management issues as the main punishment basis for the "No. 1 ticket". How do you feel about data security? What is Dongtai Rural Commercial Bank's response idea?
Wang Jinsong: Consolidating information security management work, our bank's consistent thinking is "planning first, planning before action". The first task is to establish the action outline of the management work, and establish a system guarantee system based on this to implement the outline, and then the specific Action measures and daily inspection and monitoring. The same is true for our bank's data security management construction. To implement data security, the first thing is to ensure the clarity of data assets, normalization of risk monitoring, and security workflow.
Secondly, according to the idea of "three lines of defense" in the banking industry, we have also conducted an in-depth interpretation of the two laws. From the perspective of data security protection obligations, there is not only a self-restraining appeal for the first line of defense, but also a second line of defense for data compliance. Requirements for due diligence control such as safety organization and personnel protection, risk assessment and risk monitoring, safety protection, inspection and supervision. And overall, the second line of defense plays a more important role in data security and personal information protection. Therefore, the Ministry of Science and Technology is required to take the initiative to establish a data security management and education mechanism, actively seek the improvement of data security management and technical skills, and at the same time fulfill the duties of publicizing and implementing data security awareness and process specifications for the whole bank.
Information security work is a "three-point technology, seven-point management" project. In order to comply with data compliance regulatory requirements and meet the demands of financial data security risk management and control, the data security and personal information protection work of Dongtai Rural Commercial Bank is inseparable from the in-depth participation of front-line business. , It is particularly important to use the actual data security management mechanism of the business.
It is against this background that after many exchanges and comparisons, our bank decided to join hands with Meichuang Technology to officially launch the first phase of the data security construction project with a sound data security management system guarantee system as the core in 2022. On the basis of detailed data security and system management process status assessment, investigation, investigation, and risk qualitative analysis, etc., the introduction and implementation of the bank's data security management system framework is realized.
Q2: Then, how does Dongtai Rural Commercial Bank carry out construction planning?
Wang Jinsong: From the construction planning path, I think it can be summed up by the twelve words of "review the status quo, formulate the general outline, build detailed rules, and implement actions" , among which:
Disk status: Regarding this point, we did not directly start the internal inventory, but first made an understanding of the general situation of data security construction in the society and in the industry, hoping to clarify the main contradictions so as to guide the work in a more targeted manner. A general rule was found:
There is a lack of a systematic data security management guarantee mechanism, and there are large "blind spots" in data compliance management;
There is a lack of effective data security construction guarantee mechanism, and most of them are point-to-point security construction roads, which are often exhausted;
In the absence of a clear data security organization guarantee mechanism, it is difficult to effectively carry out and quickly advance the data security construction work;
Lack of a data security supervision and management mechanism, the construction of data security is difficult to assess, and the results cannot be measured;
Lacking a continuous and dynamic data security risk assessment mechanism, it is difficult to determine whether there are risks in data security and whether it meets external compliance requirements.
Using these five items as an inventory framework, through a comprehensive management survey and analysis of our bank's data security work, and an in-depth review of existing achievements and problems, we found that our bank is no exception in terms of data security.
Establishing the general outline: In view of the above situation, from the perspective of society and industry, the first priority is to determine the general line and action outline for data security and personal information protection. To this end, our bank takes the compliance requirements of the three laws as the red line, the requirements for network security level protection and key information infrastructure security protection as the baseline, and the relevant regulatory requirements of the financial industry and relevant national standards for data security as a model. Guided by local data security related regulations and management measures, a general outline for data security and personal information protection that meets the business management objectives of Dongtai Rural Commercial Bank has been formulated.
Construction rules: Based on the general outline of data security and personal information protection, and simultaneously referring to DSG, DSMM models, and CARTA, IPDRR, and PDCA practice methodologies, our bank establishes from various aspects such as organizational construction, risk assessment, technical support, education and training, and emergency response. Improve safety rules and regulations. Secondly, in view of the diversity of business application scenarios, data security process specifications have also been submerged into real application scenarios, so we have also established scenario-based security specifications, such as personal information processing, cross-border data transmission, etc.
Implementation action: A good system also needs to be implemented in order to reflect its value. Therefore, when the data security management system guarantee system of Dongtai Rural Commercial Bank, including the general outline and detailed rules, is established, the first step we take is to publicize and implement education, starting from personnel Grasp the security awareness and security skills required by the system, so that all employees of the bank realize that data security and personal information protection are closely related to everyone's daily work, and that everyone fulfills their legal obligations. At the same time, corresponding coverage technology protection has also been established. , Emergency response, assessment and evaluation, education and training and other comprehensive evaluation and assessment lists, and assign responsibilities to individuals, so as to enhance the initiative and action of implementing the data security management system.
Of course, there is also the construction and optimization of the technical support system, which is very important and may affect the implementation effect of the system, and we are also starting at the same time. The first is to sort out the existing security technology and product tools to match the requirements of the system. Of course, in line with the concept of sustainable development and in accordance with the economic principle of "full utilization of the old", the optimization of existing technical measures is prioritized through reinforcement. The second is to make up for the gaps in technical measures by building new ones.
The above is the practical path planning of our bank in data security and personal information protection work, and it is also the consistent action line of our science and technology department. After the first phase of construction, we are currently in the stage of "consistent action".
Q3: Can you briefly describe the data security management system and norms established by your bank so that everyone can have a more intuitive experience?
Wang Jinsong: The data security management system of our bank is not completely restarted, but also derived from the existing information security management system, so the file structure of the data security management system is also implemented in accordance with the international standard of ISO/IEC 27001 information security management system framework Design, each type of management document will cover four levels, with policies and strategies as the first level, systems and methods as the second level, norms and detailed rules as the third level, and documents such as forms and templates as the fourth level. Therefore, a total of 51 institutional documents have been established, including 1 first-level document, 3 second-level documents, 11 third-level documents, and 36 fourth-level documents. All systems have been released to the whole bank, and are currently undergoing continuous training and implementation.
Q4: What difficulties do you think the bank's technology department will face in the construction of data security management? Can you provide us with some valuable experience in solving these problems?
Wang Jinsong: Regardless of the data security management system or technical safeguard measures, because the characteristics of the object it protects—that is, data—are highly coupled with the business, it is closely related to all departments and personnel in the bank. During the formulation process, the cooperation and support of the business department is crucial. This requires our technology department and business department to work together and get their support as much as possible. For data security and personal information protection, according to legal requirements, the responsibility for data security management can be increased and generalized by suggesting that high-level and departmental leaders establish virtual management and responsibility organizations such as data security committees.
Secondly, although we can meet the current applicability of the system through a series of measures such as interpreting laws, regulations and policy requirements, evaluating and sorting out business logic, any management system is not static and will change with the external environment and requirements. The adjustment of business logic and the self-evolution and dynamic changes of the system itself means that we cannot fully determine the content of the system from the beginning. Therefore, the first-level and second-level management documents should be as abstract as possible to reduce the frequency of system revisions caused by business adjustments, and the concrete process specifications should be implemented in the third-level detailed rules and fourth-level supporting form documents, so as to ensure The current applicability of the system.