1. The background of data supply chain security construction
The digital dividend is continuously excavated and released, providing new "windows" for all walks of life, using data as the basic driving force for organizational development, and promoting diversified and in-depth business development has become an urgent problem for all industries to solve. Only data flow can generate value, and the larger the flow range, the greater the value it generates. The combination of "data internal circulation" and "data external circulation" can generate greater data benefits and release greater data value. Data internal circulation refers to the use of data in combination with its own business scenarios within the organization. The external circulation of data is based on the industrial chain and urban agglomeration as a unit, to open up the "partition" of upstream and downstream organizations, and to establish a "channel" for data flow, so that data can "shuttle" between different individuals and generate greater data value. The data will effectively integrate the upstream and downstream of the industrial chain. Independent individuals can effectively improve the business development field and enhance their own industrial efficiency. At the same time, they can also face external competition in the form of a combination and increase industry barriers.
While the data external circulation produces greater benefits, it also brings more new security risks. New security requirements such as the division of security responsibilities between individuals, security technology capability certification between groups, security personnel capability requirements, and data watermark traceability. Security is the cornerstone of business development. It is necessary and urgent to build a multi-dimensional, whole-process data security system that includes individuals in groups and supports groups in individuals.
2. Supply chain security requirements under DSMM
2.1 Description
By establishing the organization's data supply chain management mechanism, the security risks in the organization's upstream and downstream data supply process are prevented.
2.2 Level 1 [Informal Enforcement] Requirements
Organizational construction: No mature and stable supply chain security management has been established in any business, and the security management of individual data supply chains is only considered based on temporary needs or based on personal experience.
2.3 Level 2【Plan Tracking】Requirements
Organizational construction: The relevant personnel of the business team who actually have the upstream and downstream supply of data should be responsible for the management of the data supply chain.
Institutional process: In the core business, a cooperation agreement should be signed with the upstream and downstream suppliers for specific data supply scenarios, and the purpose of data use, supply method, confidentiality agreement, etc. should be specified in the cooperation agreement.
Personnel capability: Personnel responsible for this process should have the ability to assess risks for specific data supply scenarios.
2.4 Level 3 [fully defined] requirements
Organizational construction: The organization's overall data supply chain security management positions and personnel should be set up to be responsible for formulating overall data supply chain management requirements and solutions.
Institutional process: The data supply chain security management norms should be clarified, the data supply chain security objectives, principles and scope should be defined, the responsible departments and personnel of the data supply chain, the responsibilities and obligations of the upstream and downstream of the data supply chain, and the internal audit principles of the organization should be clarified; The use purpose, supply method, confidentiality agreement, security responsibility obligations, etc. of the data in the data chain should be clarified through the cooperation agreement; the data security capability evaluation specification for the data supplier should be clarified, and the data security capability of the data supplier should be assessed according to the specification. Evaluate and apply the evaluation results to supplier management processes such as supplier selection and supplier audit.
Technical tools: An organization's overall data supply chain library should be established to manage the data supply chain catalog and related data source data dictionaries, so as to facilitate timely viewing and updating of the overall situation of the organization's upstream and downstream data links, and to track and analyze the data supply chain afterwards Upstream and downstream compliance.
Personnel capacity: Personnel in charge of this process should understand the overall situation of the organization's upstream and downstream data supply chains, be familiar with supply chain security regulations and standards, and have the ability to promote the implementation of supply chain management plans.
2.5 Requirements for the fourth level [quantitative control]
Institutional process: The security risks of upstream and downstream data activities in the data supply chain and the data security management capabilities of data suppliers should be assessed regularly
Technical tools: Quantify the overall data supply chain of the organization through technical tools, classify and organize the upstream and downstream data supply needs, objects and methods of the organization, and be able to discover and follow up potential risks in the data supply chain management process in a timely manner; The behavior of data service providers and data users in the upstream and downstream of the supply chain shall be reviewed and analyzed for compliance; based on the relevant records of the data supply chain, technical tools shall be used to conduct security review and analysis of relevant parties in the upstream and downstream of the data supply chain.
2.6 Level 5 [Continuous Optimization] Requirements
Institutional process: The overall data supply chain management plan of the organization should be able to be adjusted in a timely manner according to the regulatory dynamics and industry practices in the field of data supply chain management at home and abroad.
Technical tools: Participate in the formulation of international, national or industry-related standards. Share best practices in the industry and become an industry benchmark.
3. Data supply chain security construction framework
The security of the data supply chain should be based on the data life cycle, organization construction management, system guarantee management, technical support management, and personnel execution management. The four aspects of system process, technical protection, and personnel capacity are required to ensure the security of the data supply chain as much as possible. The specific construction idea is as follows:
3.1 Construction ideas
First, combine the data life cycle to clarify the cooperation mode of the upstream and downstream supply chains, business calls (call methods, data transmission content, etc.), security protection capabilities (security control capabilities, security supervision capabilities, etc.), and identify current data security risks. Secondly, with the goal of ensuring data confidentiality, integrity, and availability, based on the current data security risks, find out the security gap between the two, and clarify the construction priorities based on the situation of itself and the upstream and downstream supply chains. Thirdly, according to the construction priority, iterate and correct quickly in small steps. Finally, continuously optimize and improve the construction results.
3.2 Construction content
In terms of organizational construction, establish a dedicated team or individual responsible for the security of the data supply chain. The main contents include construction job responsibilities, multi-party coordination of data supply chain, promotion of implementation and improvement of supply chain management norms, etc.
In terms of system process construction, build a partner management agreement (based on the cooperation life cycle, strengthen security responsibilities, security obligations, breach of contract liabilities, confidentiality agreements, and clarify the purpose and supply of data in the data chain from multiple dimensions such as enterprises and individuals. etc.); build data supply chain security management norms, define data supply chain security objectives, principles and scope, clarify the responsible departments and personnel of the data supply chain, the responsibilities and obligations of the upstream and downstream of the data supply chain, and the audit principles within the organization; establish The continuous assessment mechanism regularly conducts security assessments on supply chain-related companies, and applies the assessment results to supplier management processes such as supplier selection and supplier audit.
technical construction. Build a data supply chain resource library to manage data supply chain catalogs and related data source data dictionaries, so that you can check and update the overall situation of the organization's upstream and downstream data links in a timely manner, and use it to track and analyze the upstream and downstream compliance of the data supply chain afterwards. Quantify the overall data supply chain of the organization through technical tools, classify and organize the upstream and downstream data supply needs, objects and methods of the organization, and be able to discover and follow up potential risks in the data supply chain management process in a timely manner, and analyze the upstream and downstream of the data supply chain Conduct compliance review and analysis on the behavior of data service providers and data users.
Human capacity building. Understand the overall situation of the organization's upstream and downstream data supply chain, be familiar with the regulations and standards of supply chain security, and have the ability to promote the implementation of supply chain management solutions.
