Data security is the cornerstone of big data development. The "14th Five-Year Plan" proposes to improve the data classification and classification protection system applicable to the big data environment; strengthen data security assessment, and promote the safe and orderly flow of data across borders. The "Data Security Law of the People's Republic of China" (hereinafter referred to as the "Data Security Law") specifies that the country establishes a centralized, unified, efficient and authoritative data security risk assessment, reporting, information sharing, monitoring and early warning mechanism; important data processors should carry out risk assessments on a regular basis , and submit a risk assessment report to the relevant competent authority.
At present, the country lacks relevant standards for data security risk assessment, and data security risk assessment is a basic project in the field of data security and a core task of data governance. Its purpose is to timely assess the status of data security risks, monitor and deal with data security risks , Laying the foundation for data protection and full utilization. With the widespread application of big data technology, effectively identifying and dealing with risks will be the only way for the development of the digital economy. Therefore, this article attempts to establish a full-process risk assessment method based on business, centering on the data itself and the data processing activities, and conducts research from the aspects of assessment principles, assessment models, assessment scenarios, assessment control points, etc., to explore the practical path of data security risk assessment . 1. Definition of data security risk
Paragraphs 2 and 3 of Article 3 of the "Data Security Law" stipulate that: data processing includes data collection, storage, use, processing, transmission, provision, disclosure, etc.; data security refers to taking necessary measures to ensure The data is in a state of effective protection and legal use, and has the ability to ensure a continuous security state. In February 2018, ISO released "ISO 31000:2018 (en) Risk management-Guidelines", which defines "risk" as "the impact of uncertainty on objectives", that is, organizations of all types and sizes face internal and external factors and influences that prevent the organization from determining whether its objectives will be achieved in a timely manner. The impact that this uncertainty has on organizational goals is "risk".
Based on this, this article defines the concept of "data security risk" as follows: it refers to data collection, storage, use, processing, transmission, provision, disclosure and other data processing activities due to natural factors, human factors, technical loopholes and management Defects cause its integrity, confidentiality, and usability to be destroyed, resulting in disclosure, theft, tampering, damage, loss, and illegal use, which in turn affect national security, public interests, or the legitimate rights and interests of organizations and individuals. On December 22, 2021, the Ministry of Industry and Information Technology issued the "Guidelines for the Submission and Sharing of Data Security Risk Information in the Field of Industry and Information Technology (Trial) (Draft for Comment)", clearly stating that data security risks include but are not limited to data Leakage, data tampering, data abuse, illegal transmission, illegal access, abnormal traffic, etc.
2. Research on data security risk assessment
(1) Evaluation principle
According to relevant international and domestic standards and data security research results, establish a data security risk assessment relationship model. It mainly revolves around five assessment elements: data, data application scenarios, data security threats, data security vulnerabilities, and security measures.
The core of data security risk assessment is data, and data flows in various application scenarios. Vulnerability is an attribute of the data itself. In application scenarios, different data behaviors are formed by various subjects in data processing activities, and there may be management and technical vulnerabilities, which lead to data security risks. The implementation of security measures can reduce the difficulty of data vulnerability being exploited and resist threats to achieve data protection.
(2) Evaluation model
In order to implement the various tasks involved in data security risk assessment, it is necessary to establish a complete, systematic, feasible and applicable assessment model for data risk assessment, as shown in Figure 1.
