★
NEWS
★
On April 18, 2023, the Secretariat of the National Information Security Standardization Technical Committee released the "Cybersecurity Standard Practice Guidelines-Network Data Security Risk Assessment Implementation Guidelines (Draft for Comments)" (hereinafter referred to as the "Implementation Guidelines"), facing the society Open for comment. The solicitation for comments ends on May 2, 2023.
The "Implementation Guidelines" clearly provide the ideas and methods for network data security risk assessment as well as specific network data security risk assessment steps and assessment matters. They are suitable for data processors to conduct security assessments on their own or for inspections and assessments organized by relevant competent authorities. "Practical Guidelines" consists of main text and 2 appendices:
The main text is divided into scope, term definitions, risk assessment overview, assessment preparation, information research, risk assessment, comprehensive analysis, and assessment summary;
The appendix is divided into data security risk examples and assessment report templates.
This article now summarizes the key points of the "Implementation Guidelines" as follows:
- Scope and definition of application
Article 2.1 of the "Implementation Guidelines" defines "network data" as "various electronic data collected, stored, transmitted, processed and generated through the Internet." The above definition is basically consistent with the definition of network data in Article 73 of the "Network Data Security Management Regulations (Draft for Comments)" as "any record of information in electronic form."
It is worth noting that the "data" referred to in the "Data Security Law", one of the upper laws of this "Implementation Guidelines", includes in addition to the above-mentioned electronic data, it also includes non-electronic data. Therefore, although the "Implementation Guidelines" repeatedly refer to "network data" as "data" in subsequent texts, readers should still pay attention to distinguish its denotation.
- Risk assessment ideas
Basic attitude: Network data security risk assessment focuses on prevention, proactive discovery, and active prevention, and conducts risk assessments on the data security protection and data processing activities of data processors;
Expected goals: Understand the overall status of data security, discover data security risks, propose data security management and technical protection measures, and improve data security's ability to prevent attacks, damage, theft, leakage, and abuse;
Analysis objects: data security issues and potential risks that may affect national security, public interests, or the legitimate rights and interests of industries, organizations, and individuals;
Output results: risk issue list, risk assessment report.
The assessment idea of network data security risk assessment is shown in Figure 1.
3. Risk assessment content
The "Implementation Guidelines" clarify that network data security risk assessment should mainly focus on data security management, data processing activity security, data security technology, personal information protection and other aspects. The specific assessment content framework is shown in Figure 2 below.
4. Risk assessment process
The "Implementation Guidelines" clarify the overall process, specific work and main outputs of network data security risk assessment. The development of risk assessment mainly includes five stages: assessment preparation, information research, risk assessment, comprehensive analysis, and assessment summary, as shown in Figure 3.
Relevant regulatory authorities organize data security inspections and assessments
When relevant departments conduct inspections and assessments, they can refer to the "Implementation Guidelines" to carry out inspections. The process mainly includes three stages: assessment preparation, assessment implementation, and analysis and summary. The specific implementation steps are shown in Figure 5.
