Data security risk assessment is one of the basic data security systems specified in the "Data Security Law", and it is also the data security protection obligation that important data processors should fulfill. In May of this year, the "Network Security Standards Practice Guidelines - Guidelines for the Implementation of Network Data Security Risk Assessment" was released.
On the road of continuous advancement of digital transformation, the amount of data in units and organizations has increased rapidly, the generation, circulation and application scenarios of data have become more diverse, and various security threats and risks are complex and intertwined, waiting for opportunities, which has brought severe challenges to the further advancement of digitalization . Through data security risk assessment, it is an important task to discover potential data security risks and prevent data security risks, whether it is to implement compliance regulatory requirements or based on its own business security development.
Having been deeply involved in the field of data security for many years, the data security risk assessment service launched by Meichuang has accumulated rich practical experience in finance, government, medical and other industries, and formed a set of scientific risk assessment methodology and assessment reference model. Based on the accumulation and transformation of experience, in 2022, Meichuang officially released a comprehensive data security evaluation system integrating multiple capabilities , and is committed to making the evaluation work simpler and more efficient.
So how to proceed? Next, let's start from the case practice to understand the data security risk assessment service "doers".
challenge
Massive data collection faces complex risks
To promote "benefiting the people", "benefiting the doctors" and "benefiting the government", a city uses the national health information platform as the digital base of the healthy brain to connect all the medical and health institutions in the city and realize the comprehensive convergence of health information in the whole industry.
◼︎ At present, the national health information platform has involved about 10TB of personal information, medical application data, medical payment data, health resource data, and public health data.
Massive data interconnection and information sharing provide strong data support for medical and public health business collaboration, convenient service development, and comprehensive business management. However, the increasingly complex data ecology has also led to the emergence of new risks.
Faced with a variety of high-value data asset information, for the Health and Medical Commission, doing a good job of security is the top priority. How to take reasonable measures to protect data assets and prevent or reduce the risks faced by data assets has become a important work.
practice
Taking advantage of risk assessment to prevent problems before they happen
In order to implement the requirements of laws and regulations such as the "Data Security Law" and "Personal Information Protection Law", identify risks in a targeted manner, and improve the overall level of data security protection, the Municipal Health and Health Commission chose Meichuang Technology to explore the effectiveness of the data security risk assessment system Implemented method path.
The data security risk assessment work revolves around its data assets and data processing activities. During the assessment process, it is necessary to fully consider the relationship between data asset value, asset vulnerability, security threats, and security measures.
This risk assessment is mainly based on the data in the national health information platform. Meichuang Technology adopts automatic tools such as data security comprehensive assessment system , dark data discovery, classification and classification, combined with manual methods, based on the "Provincial Data Security Risk Assessment Specification (Trial) "As the main reference document, through data asset identification, vulnerability identification, threat identification, and risk analysis and calculation, comprehensively identify various risks faced by data, generate a comprehensive risk list and risk estimation of data assets, and give Risk treatment suggested service plan.
Overall assessment content : identification and classification of data assets, identification of data security threats and vulnerabilities, identification of data security measures, etc.
Organize the evaluation process:
1. Assessment Preparation
Assessment tool preparation
Conduct basic research
Develop an assessment plan
2. Assess implementation
Carry out on-site research
Data combing and classification
Threat and Vulnerability Identification
Identification of data security measures, etc.
3. Risk Analysis
Collation of evaluation materials
Qualitative and quantitative calculation of risks
Develop risk treatment recommendations
4. Report output
compiled output
Risk Assessment Report
effect
Clarify Threats and Challenges and Build a Safe Line of Defense
◼︎Data asset identification, classification and classification : In data security risk assessment, data asset identification is an important link. In this evaluation, based on local and industry standards and regulations, combined with the health and health commission's own business conditions and data characteristics, through the double combination of manual investigation and dark data discovery and classification and grading system, the data assets are quickly identified, Classify, assign and grade the importance of asset value, and form a list of data assets.
Finally, from the business application dimension and the data object dimension, the data is divided into categories such as personal attribute data, medical application data, medical payment data, health resource data, and technical management data; According to the degree of importance, it is divided into general data, important data and core data.
◼︎Data security threat and vulnerability identification: According to risk assessment standards and specifications, for data collection, storage, transmission, use and processing, sharing and other activities, from the security management system, process specification, process records, security compliance, technical capabilities and functions A total of 36 types of security threats were identified.
Through vulnerability identification methods such as vulnerability scanning and baseline verification, combined with the results of non-technical research and analysis in the status quo investigation stage, 29 of the 37 vulnerability assessment indicators were identified.
◼︎Recognition of data security measures: By evaluating the security technical measures adopted by the current system, the effectiveness of the control measures is checked, such as: access control mechanism and implementation method, security audit and data traceability mechanism and method, data encryption and leakage protection measures, etc. Benchmark 80 security requirements for data security protection measures, of which 15 were implemented, 21 were partially implemented, 33 were not implemented, and 11 were not involved.
◼︎Comprehensive risk analysis: Through the above risk assessment dimensions, Meichuang starts from the two perspectives of assets and risks, on the basis of data classification and classification, with the help of the data security comprehensive assessment system DCAS, relying on a strong and rich security compliance database and security risk database And security processing policy library, automatically complete the assignment, analysis and calculation of risk threats. Through the comprehensive calculation and analysis of the risk value of 17 types of data assets at different levels, 2 types of high-risk data assets, 5 types of low-risk data assets, and 10 types of very low-risk assets were found.
◼︎In the end, Meichuang summarized the risk assessment process and results, and formed the "Data Security Risk Assessment Report", which included assessment objects, data security risk assessment methods, data assets, data security threats, vulnerability identification results, risk analysis, Risk statistics and conclusions, etc., lay a solid step for the safe and orderly flow of health care data and the release of value!
Taking the lead and focusing on the field of data security for a long time, based on the rich practice and services of data security, Meichuang Technology not only has a professional "understand data, understand security" service team and automatic tool support, but also has been recommended by authoritative organizations It has been selected as one of the "Top Ten Enterprises in China's Data Security Services", "IDC Perspective: China's Data Security Services Market Insights" recommended vendors, and has been awarded the Data Security Award jointly issued by the China Software Evaluation Center and the China Computer Industry Association Data Security Professional Committee. The highest level certificate of service capability assessment qualification.
Only by clarifying the risks can we plan ahead; only by building a solid line of defense can we move forward steadily! To make data safer and more valuable, Meichuang Technology has always provided more professional and efficient services to protect the digital security transformation of thousands of industries!