On August 21 , the Secretariat of the National Information Security Standardization Technical Committee issued a notice soliciting opinions on the national standard "Information Security Technology Data Security Risk Assessment Method" (Draft for Comments), soliciting opinions from the public.
1. Policies and regulations related to data security
Previously, the country has also promulgated a number of laws and regulations related to data security, enriching them from concept to specific implementation, such as:
01
Cybersecurity Law of June 2017
Mention "network data security protection".
02
"Data Security Management Measures" in May 2019
Comprehensively stipulates the life cycle of data security collection, storage, transmission, processing, and use.
03
"Personal Information Protection Law" in August 2021
Data security life cycle links such as processing, provision, disclosure, and deletion have been added.
04
"Network Data Security Management Regulations" in November 2021
The classification and hierarchical protection system and corresponding protection measures for data have been clarified.
05
"Cybersecurity Review Measures" in January 2022
Increased scrutiny of data security and data processing activities.
06
July 2022 "Data Transfer Security Assessment Measures"
Standardizes the way data operators handle sensitive data abroad.
From the above-mentioned policies, regulations and standards, it can be seen that my country's data security protection management has gradually matured. The launch of the "Information Security Technology Data Security Risk Assessment Method" allows users' data security-related risks to be discovered and managed in advance, reducing the degree of economic losses that need to be managed after they occur.
2. Core contents of the draft for comments
The consultation draft mainly includes the relationship between assessment elements, risk analysis principles, assessment applicable situations, assessment implementation process, assessment content framework, assessment methods, data security risk assessment preparation, identification of data and data processing activities, identification of data security risks, and data security risks. Analysis and evaluation, assessment summary, data security risk assessment report template, etc.
3. Key definitions
Suitable
It is suitable for guiding data processors and third-party assessment agencies to conduct data security risk assessments, and can also be used as a reference for relevant regulatory authorities when implementing data security inspections and assessments.
data
Any electronic or other recording of information;
Data Security
By taking necessary measures to ensure that data is effectively protected and used legally, as well as having the ability to ensure continued security.
Data processing activities
Data collection, storage, use, processing, transmission, provision, disclosure, deletion and other activities.
Data security risks
The possibility of data security incidents and their impact on national security, public interests, or the legitimate rights and interests of organizations and individuals.
Data security risk assessment
The entire process of information research, risk identification, risk analysis and risk evaluation for the security of data and data processing activities.
risk source
Threats, vulnerabilities, problems, hidden dangers, etc. that may lead to events that endanger the confidentiality, integrity, availability and reasonableness of data processing are also called "risk hazards".
The introduction of the "Information Security Technology Data Security Risk Assessment Method" will provide users with specific and implementable implementation methods to prevent data security risks in advance. Understanding the above key definitions will help users carry out their work better.
As a leading domestic cloud-native security manufacturer , SafeDog has also understood the importance of data security early and launched data security solutions (click here to view) and data security risk assessment services (click here to view) , which can provide The majority of industry users provide protection covering the entire life cycle of data security. In the future, SafeDog will fulfill its mission of " guarding the digital world and promoting cyber power ", and contribute to the transformation and development of the digital economy for the majority of users, the construction of China's network security system, and the healthy development of data security.