Interpretation of data protection and other safety compliance 2.0

Recently, the national standard press conference in the press room market supervision bureau office area Madian held network security protection system 2.0 officially released, the relevant "information security technology to protect the basic level of network security requirements", "Information Security Technology Network Security level of protection assessment requirements "," information security technology designed to protect the safety level of network security technical requirements "and other national standards and also will be officially released on December 1, 2019 came into effect.

Compared with other security 1.0, 2.0, etc. security structure, the number of items required, aspects of coverage, protection philosophy and grading processes, etc. have been updated, to achieve the basic information network, the cloud, the traditional large data information system, things, full coverage of the protected object mobile Internet and information systems and industrial control and other security from 1.0 standard passive defense security system to advance the prevention, something in response, subsequent changes in audit dynamic security system, focusing on a full range of active defense, security credible, dynamic and comprehensive perception audit.

As a professional data security vendor, Anwar gold and peer protection 2.0 data security and compliance requirements related to interpretation comb.

Paul two other

Etc. General requirements for safety in the two security, cloud security requirements and extend respectively to the reference request data security requirements were.

General requirements for safety

Safe operation and maintenance management Vulnerability and Risk Management

After the repair should take the necessary measures to identify security vulnerabilities and risks to security vulnerabilities and risks identified in a timely manner may affect repair or evaluation.

Compliance Interpretation:

It is timely for database vulnerabilities, weak passwords, default configuration, and other broad authority to assess potential risks, and targeted repair by manually + technology tools.

Cloud computing security extensions requirements

Secure computing environment Data confidentiality and integrity

b) shall ensure that only authorized customers in cloud services, cloud service providers or third-party cloud service customer data only has administrative privileges.

c) shall ensure that the integrity of the virtual machine migration process critical data, and take the necessary measures to restore the integrity of the damage is detected.

Compliance Interpretation:

To deal with the cloud service customer data to provide control security mechanism, cloud service providers need to obtain the approval of customer service authorized by the way, and then get permission to manage data.

Cloud computing environment to deal with the data is encrypted, even if the cloud service side mirror or copy the data without permission, nor from the bottom to get the plaintext customer data.

It should be in way before migrating through the background to back up important databases, ensure the availability of recovery. Backup work needs to be approved before they may be authorized. At the same time through the database encryption mechanisms to ensure the security of data in a virtual machine migration process fundamentally, even after the reverse analysis data file, see additional data still ciphertext.

Requires two reference

Secure computing environment

H.3.3 secure computing environment

f) big data platform should provide tools or services component technologies static and desensitization of de-identified;

g) to provide services outside the big data platform, platform, or a third party can only access, use and management of data resources in data applications in large data applications authorized.

Compliance Interpretation:

It should desensitization of sensitive information platform through technology tools.

Through the approval process should, operation commands to change the way the operation and maintenance of the fine-grained control. While providing a complete recording is performed.

And so Paul three

Paul and other three in the General Requirements for Safety, cloud computing security requirements and expand the requirements in terms of security of the border area, secure computing environment, security managers, security, communications networks, and other requirements were further reference.

General requirements for safety

Border security zone Access Control

c) respond to source address, destination address, source port, destination port, and protocol be checked to allow / deny packets out;

e) respond to incoming and outgoing network data flow based access control application protocol and application content.

Compliance Interpretation:

Should be based on an address, ip, time, execute the statement, statements and other factors affecting the scope and content of the database fine-grained control protocol.

Secure computing environment Access Control

f) granularity of access control to user-level should reach the body or process level, the object is a file, database table level;

g) deal with important subjects and objects set security mark, and control access to the main security marking of information resources. Data confidentiality

b) should be used to ensure the confidentiality of important data encryption technology during storage, including, but not limited to, authentication data, critical data and important personal information. Protection of Personal Information

a) should be taken and stored service users' personal information only necessary;

b) shall be protected from unauthorized access and illegal use of personal information.

Compliance Interpretation:

Efforts to control the operation of the database: the main body control, database accounts, applications, application accounts, the operation objects (tables, columns, stored procedure name), SQL statements fine-grained control

Achieving enhanced access control based on the ciphertext, and prevents the body such as the DBA highly privileged user access to sensitive data object.

Controlled rights-protected object field of access control is independent of the database, the database user privileges to prevent the body to enhance access to protected data.
























































It should have the ability to sort data, ensure data integrity assets, thus providing a basis for classification and grading.

It should have database access control. The control target comprises a time is not limited, ip, command, and so the scope of the statement.

It should have the ability to reversible desensitization, while ensuring consistency, the correlation between the data desensitization.

It should have data usage, traceability distribution.

We should have the ability to audit different customers are different databases.

Big data applications

Safe operation and maintenance management

H.4.5 safe operation and maintenance management

b) shall develop and implement classification and grading data protection strategies, develop different security measures to protect against different types of levels of data;

c) the data should be based on the classification and grading, dividing the range of important digital assets clearly important data usage scenarios and business processes to desensitize, or automatically identified;

d) shall periodically review the data categories and levels, as required class or level change data, change approval process should be based on the implementation of the changes.

Compliance Interpretation:

Should be based on different levels of data, choose a different database defensive scheme.

According to the different business scenarios, select all the replacement, partial replacement, partially obscured other desensitization program.

Should, on a regular basis of important data by combing technology tools, positioning, fit to carry out the assessment of the data.

As a proponent of the concept of governance of national data security, Anwar gold and respond positively to the requirements of 2.0 and other insurance, the introduction of appropriate solutions to help the user compliance, so that data usage free and safe.

Guess you like