With the public consultation of the "Data Security Law (Draft)", the industry has conducted extensive discussions on data security. The security construction party looks for business opportunities in accordance with the data security law, and the security responsible party discusses how to build under the guidance of the data security law. Obviously, both the supply and demand sides are discussing the necessity and possibility of building a data-centric security protection system around the data security law.
As a data security practitioner, it is necessary and continuous to open up new channels in the sea of data security, discover new continents, and improve self and the core competitiveness of enterprises. With the subsequent official promulgation of the Data Security Law, it will play the role of a compass for navigating the seas and a wind vane for industrial development, and will help the entire data security industry to flourish. Therefore, the study and in-depth communication of data security law is an update of the overall view of every security practitioner.
Based on our own experience, this paper extracts the points of concern in the data security law from three perspectives: market development, security builders, and guarantee responsibilities, and extends the focus to make it more practical and thinkable sex.
1. Market Development
The draft has a clear description of data security and development (Articles 12 to 18), which can be summed up in five ways, namely, digital economy, system standardization, security specialization, transaction standardization, and education systemization .
Digital economy: Digital needs security as a guarantee in the process of economicization. Informatization is the foundation of the process of digital economy. Therefore, network security and informatization are two wings of one body and must be planned in a unified manner. For example, in February 20119, the General Office of the Shandong Provincial Government issued the "Digital Shandong Development Plan (2018-2022)", focusing on five aspects: consolidating basic support, cultivating digital economy, innovating digital governance, developing digital services, and implementing key breakthroughs as a key task. Its basic principles are supported by digital infrastructure, data resource system, and network security (here referred to as network security in a broad sense) , with digital industrialization and industrial digitalization as the core, and government governance and digital application of services that benefit the people as the focus , to comprehensively enhance the core competitiveness and comprehensive strength of Shandong's development in the digital economy era.
System standardization: Strengthen the construction of the data security standard system, establish a series of standards and specifications around data security, and improve security protection capabilities. Nowadays, many security vendors in the industry participate in the construction of standards and specifications related to data security. By participating in the construction of standards, one is to guide the industry's security construction, and the other is to strengthen brand promotion and construction barriers.
Safety specialization: Through the specialization of safety inspection and evaluation, certification and other services, strengthen the safety capabilities in multiple aspects such as pre-event system certification, in-event inspection and evaluation, and after-event professional service. For example, China Information Security Evaluation Center and Tianrongxin jointly developed training certification for data security talents, registered data governance security personnel (CISP-DSG), the purpose of which is to strengthen the technical, management and other professional capabilities of personnel related to data security governance .
Transaction standardization: Cultivate the data transaction market, and strengthen the construction of the technical system and management system in the process of data transaction. Today's data trading market is very diverse, including governments, enterprises, free and charged.
Systematization of education: Strengthen data security integration with schools, establish a diverse training system, enrich and diversify teaching content, and lower security capabilities to make it more systematic and systematic.
2. Guarantee responsible party
The responsible party pays more attention to Articles 19 to 40 in the draft. Articles 19 to 24 are the chapters on the data security system, which set out the system requirements from multiple systems such as competent units and enterprises. Manage various basic systems; Articles 25 to 33 generally put forward relevant requirements in terms of management, technology, risk detection, risk assessment, data collection, review and filing, and cross-border data; Articles 3 and 4 Articles 1 to 40 focus on government data, and put forward relevant requirements in terms of empowering social development, collection principles, management systems, data review, and data opening.
At present, the common problem is how to effectively implement the data security law. The underlying reason for this phenomenon is the lack of understanding of the systematization of data security during the transition from network security to data security. For example, how to build classification and classification? How can the classification and grading be effectively combined with the existing technology system and the future technology system? How to build a risk assessment system, how to operate and maintain it, etc. The problems listed above are still point-like manifestations of the systematization of data security protection. If you can't have a bird's-eye view of the whole situation, your work will be very passive.
3. Safety construction party
The security builder needs to sort out the content of the clauses like a cocoon, and find the satisfaction points of existing products, so as to use them as the basis (entry point) for the construction of their own products. At the same time, it also needs to invest more manpower, material resources, and financial resources to research and plan its own security system, enhance the breadth and depth of the product line, and seize the security market opportunities. On the whole, the extension of security law can be divided into three types as a whole, namely strategic type, project type and product type.
The strategic type will consider the overall situation, will have new strategic directions, and will open up new business lines, such as adjusting the R&D investment ratio of the group's network and data security, strengthening data security capabilities, and grabbing some relatively blank market areas; Invisible experience is transformed into explicit knowledge, the overall value is output in the form of training (currently, network security is mostly, such as penetration testing, etc.), and the most downstream of the security chain (people) is effectively combined to output its own product concept and product function. , brand recognition, etc.
Item types include product types. The project type needs to rely on the window period in the big environment such as "digital +" to help the responsible parties build a personal security armor, remove the security curse, let the business run in a safe environment, and let the security value support the business value.
The product type considers multiple dimensions such as product function, performance, and scene application, in order to support the effective implementation of project type and strategic type.
According to the project type, the security construction at this stage can carry out targeted construction from four aspects. The construction of the whole process system, classification and grading, a security system based on the data life cycle, and the establishment of a continuous and dynamic improvement mechanism. The specific relationship is shown in the figure below.
Data classification and grading play a connecting role in the entire data security protection process. It is the glue for system construction, technical system construction, and operation and maintenance system construction. It effectively integrates different systems with classification and grading and hubs to improve data security protection. Collaborative ability, orientation ability, operation and maintenance efficiency of the system, etc. (see previous related articles for specific management system construction, classification and grading).
The construction content in the above figure is to output the overall value (safety value is an auxiliary value, which plays a role in supporting business value), rather than a single product value. From the construction period, personnel requirements, project difficulty, and project quota, the product type cannot be compared with compared to.
Four. Summary
With the subsequent promulgation of the Data Security Law, the prelude to data security will be officially unveiled, and the construction of data-centric security has just begun!