This white paper proposes a data security governance framework based on data and data processing activities, including data asset sorting, data security risk assessment, and data security risk disposal.
The content of this data security governance framework focuses on starting from the enterprise's data assets itself, based on the different contents of the data processing activities at each stage experienced in the production and operation activities of the enterprise, and closely following the requirements of laws, regulations, industry norms, etc., to solve the legal and compliant operation of enterprises and production activity risk safety and controllable requirements. The data security governance framework based on data and data processing activities consists of the following three aspects:
1) Data asset sorting, which provides practical guidelines for enterprise data asset inventory and data classification and grading.
2) Data security risk assessment, based on the content of enterprise data asset sorting work, provides guidance for the implementation of data security risk assessment methods for enterprises in different data processing activities, and implements data security risk assessment work.
3) Data security risk disposal, based on the data security risk assessment results, according to different development stages and priority of solving problems in production and operation, referring to national laws and regulations, industry norms and other requirements, through data security management, data ontology protection, data security Management and control, data risk monitoring and other means to improve the ability of enterprises to fulfill protection management responsibilities and ensure continuous security status.
Referring to the definition in the "Data Security Law of the People's Republic of China", the core content of data security risk assessment is based on data assets, identifying risks and countermeasures in data processing activities. Among them, data processing activities refer to the business activities of enterprises that perform data processing. Data processing, including data collection, storage, use, processing, transmission, provision, disclosure, etc. The data security risks involved in this article generally refer to risks in a broad sense, including both legal compliance risks and technical security risks.
The information security risk assessment method is a summary of the implementation points and work forms for different stages of the information system life cycle, including four parts: assessment preparation, risk identification, risk analysis, and risk evaluation. On the basis of referring to the original information security risk assessment method, the data security risk assessment method pays more attention to data assets and the risks faced in related data processing activities.
Through sorting out the elements of data assets and data processing activities, combined with existing compliance measures, on the basis of fully identifying the requirements of laws and regulations for different types of data and the requirements of compliance points in processing activities, complete the legal compliance of data security analyze. Through sorting out elements in data assets and data processing activities, combined with existing technical security measures, and referring to elements such as data asset value, vulnerability of processing activities, and threat identification, complete technical vulnerability and threat analysis, and form data security event analysis. Comprehensive data security legal compliance analysis and data security event analysis, and finally form the data security risk value.
Assessment preparation: Currently, enterprises and organizations implement risk assessment work, more based on national laws and regulations, industry supervision, business demand assessment and other relevant requirements, and consider the impact of risk assessment results on enterprises from a strategic level. The content of data security risk assessment preparation mainly includes: assessment object, assessment scope, assessment boundary, assessment team formation, assessment basis, assessment criteria, formulation of assessment plan and obtaining management support.
Risk identification: mainly includes asset value identification, data processing activity element identification, legal compliance identification, threat identification, vulnerability identification, and identification of existing security measures.
Risk analysis: After completing asset value identification, processing activity element identification, legal compliance identification, existing security measure identification, threat identification and vulnerability identification, by adopting appropriate methods and tools, the legal risks faced by the enterprise can be obtained. Compliance risks, the possibility of data security incidents, and the impact of data security incidents on the organization can be used to obtain data security risk values.
Risk assessment: After performing data security risk analysis, the enterprise will obtain the distribution of risk value through the risk value calculation method, and divide the risk level into three levels: high, medium and low. According to the level of risk value in the risk assessment, the contents of the risk assessment results are clarified.
The enterprise passes the data security risk assessment, and finally obtains the result of the enterprise risk assessment. Based on the risk assessment level and the actual situation of production activities faced by the enterprise, follow-up data security risk management and control strategies are formulated, and data security risk disposal is implemented.