EDITORIAL
Document sharing and collaboration is the daily operations in the most basic needs, how to adapt to the era of great changes "mobile + cloud", how to meet increasingly complex business office and collaboration needs, has been one of the hot CIO's attention.
Now, let us recall the wonderful interview in this issue of it.
1
depth interpretation "Network Security Act"
Li Weiliang (moderator)
What is compliance? Why do companies need compliance? What kind of business requires compliance?
Kevin (guest)
Any business, in any country or regional business activities, must comply with local laws, regulations and standards, which is "compliance." Whether business or citizen, abide by the laws and regulations are basic responsibilities and principles. Compliance not only means that enterprises should follow the rules, it will also help businesses prevent and control risks, to enable enterprises to avoid punishment regulatory nature.
Li Weiliang
For those who are in the process of digital transformation of Chinese enterprises, which laws and regulations must be aware of and comply with?
Kevin
Digital transformation of the field is very broad, involving laws and regulations is difficult exhaustive. However, there are three types of laws and regulations, most companies will apply: First, and security-related "Network Security Act", the second is the field of telecommunications "Telecommunications Regulations" and the third is the Internet information management laws and regulations.
At the same time, for a particular industry, business, industry should also comply with the rules, regulations, such as: the financial industry, "××× content on banking financial institutions make personal information protection work notice", "financial consumer protection measures for implementation "; the medical industry's" population health information management approach (trial) "; the Internet about the car industry," the network to operate a taxi service appointment Interim Measures "and so on.
Li Weiliang
"Network Security Act" is a kind of law? It was born of the background and process like?
Kevin
"Network Security Act" is China's first basic law comprehensively regulate cyberspace security management is an important milestone in the construction of the rule of law in our country in cyberspace, the network is the rule of law, and resolve network of legal risk weighing equipment, is to make the Internet the rule of law an important guarantee for the healthy operation of the track. From an international perspective, "Network Security Act" is a Chinese plan to deal with cyber security challenges of this global problem, through this law, we can see that China's determination to safeguard the sovereignty of cyberspace.
Speaking of the birth of "Network Security Act", dates back to 2013's "Prism" incident. After this incident, the Chinese government realized the importance of network security and related legislation, so set up a network security Leading Group Office of the CPC Central Committee and Information Technology, specialized integrated and coordinated related to network security and information technology major problem in many fields.
Since then, including "Network Security Act", including network-related security strategy, supporting laws and regulations and standards have also introduced or included in the development plan.
November 7, 2016, "××× Network Security Act" by an overwhelming majority at the 12th ××× Standing Committee of the 24th meeting since July 2017 June 1 formally implemented.
Li Weiliang
Overall network security framework law is what? It presents the basic principles of what? What has developed strategic objectives?
Kevin
"Network Security Act" is a comprehensive, principled basic law, its strategic objectives is to enhance network security, the protection of national security information, to create a good network environment, innovation and enterprise in order to protect personal information from misuse.
"Network Security Act" includes the support and promotion of network security, several major network operation security, network information security, monitoring and early warning and emergency response, legal responsibilities, provides all levels of government departments, network operators, critical information infrastructure facilities operators, as well as the rights and duties of citizens in terms of network operations and information security, personal information protection, emergency response and other network information.
Here, I share some important ideas "Network Security Act" with you. The first, indeed Anfa Ming net provisions to safeguard China's sovereignty in cyberspace, this is a very important concept. Cyberspace sovereignty is a natural extension of national sovereignty in cyberspace and performance, the first network security law to affirm that the Chinese government has the right to manage and defend its cyberspace. Second, network security law for government bodies have also made corresponding demands to the relevant government agencies publish cybersecurity strategy, coordinate the various departments to formulate laws and regulations network security. Third, network security method for network operators put forward some of the more important requirements, including: to take some basic security measures to ensure your network is secure operations; information you publish on the Web is legal; in in some cases to implement real-name authentication; general network operators to meet the "level of protection" requirements.
Li Weiliang
What are the rules that require special attention, "Network Security Act" in? Please focus your uniform program for everyone.
Kevin
Network operator (owner of the network, network managers and service providers) who will have to abide by the laws and administrative regulations, and earnestly fulfill the obligation to protect network security, monitoring the spread of illegal content, network security and stable operation, the protection of personal information security, making a good network security incident emergency response plan.
Critical information infrastructure operators, it should also fulfill some additional security obligations to comply with some of the higher requirements, such as: the important personal data and operational data generated in the process must be stored in China; outbound data to be safe assessment; procurement network security products and services to be reviewed so on.
In the protection of personal information, Network Security Act: before collecting personal information to obtain consent of the individual; the use of personal information to inform the purpose of use, mode and range; personal information collected, not disclosure, alteration and destruction; not consent shall not provide personal information to others; to take measures to prevent information leaks, damage or loss.
Li Weiliang
Since the formal implementation of the "Network Security Act," Are there any penalty cases?
Kevin
There are, and there are many. We have seen cases broadly divided into four categories: non-compliance is not released and the implementation of real-name system, security system, etc. not implemented, not implemented security system, not to implement the privacy of personal information protection system.
By publishing and not the implementation of real-name system in the main cases include: Network Information Office in Guangdong Province Ali cloud did not implement real-name system to order the immediate rectification; Zhejiang net in the letter do Taobao, mushrooms Street, interactive Web sites such as illegal sale ××× tools deadline ordered to correct and punished according to law.
And other cases not implemented security system are: Anhui net in the letter do for a school site is not level protection, data retention, lead to identity information leakage ordered to make corrections; Anhui Public Security Bureau verified local school site is not a level of protection, was **** ** ordered to make corrections and impose a fine.
In terms of non-implementation of network security protection system, Industry and Information Department of Guangdong Province investigated the problems of security vulnerabilities UC browser.
In terms of non-implementation of the privacy of personal information protection system, the central network Informatization Office of Industry and Information Technology, the Ministry of Public Security, National Standards Commission and other four departments selected micro-channel, Sina microblogging, Taobao, Jingdong Mall, Alipay, high moral map, Baidu maps, drops travel, Air travel freely, Ctrip total of 10 models of Internet products and services review.
Li Weiliang
Corporate responsibility as a body, in the process of implementation of the "Network Security Act" in what will be the challenges?
Kevin
"Network Security Act" is a comprehensive legislation for businesses, complex legal system takes time to understand. In addition, network security law was formally introduced in June last year, supporting more compliance rules have not yet introduced, many companies still do not know specifically how to do compliance. For critical information infrastructure operating units, it is also subject to a number of additional legal terms, this is a challenge.
Li Weiliang
For enterprise IT managers, what measures should be taken to respond effectively to the enormous pressure "Network Security Law" for business development opportunities?
Kevin
Enterprise IT operations are concerned, should seriously study and understand their obligations under the relevant network security method. When the company is considered a "network operator" should ensure corporate compliance, including: product and service regularly update, patching; strengthen legal review of the site's content; the implementation of the protection of personal information security; meet the grade compliance requirements to protect; development of network security incidents and emergency measures supporting the program.
At present, many supporting details "Network Security Act" has not yet introduced, the definition of critical information infrastructure operating units has not been announced, therefore, recommends that companies first make a preliminary judgment on their main identity, and proceed with the appropriate preparation.
Li Weiliang
Dr. Xie Xieluo sharing!
2
How to deal with security and compliance challenges of the times "mobile + cloud"?
Li Weiliang
Collaboration and sharing ubiquitous today, data security has become the enterprise CIO are most concerned about. Well, today's enterprises are faced with what security threats?
Jason
Indeed, we will see more and more collaborative scene today, there are more and more employees will be in different locations, using different devices to access the corporate network. In this case, the risks faced by enterprises is also growing. Even more frightening is that many businesses and individuals, and do not realize how much this risk.
I am here to share with you a set of data: in 2016, the world was leaked data recording of up to 4 billion; in the past 12 months, 52% of data leakage accident occurred in large enterprises; the duration of APT *** It can be up to 140 days; 45% of the business because of the lack of data management and control measures, leaving themselves exposed to the risk of litigation and data security ......
In such a grim security situation, I believe that companies first need to set CSO (Chief Security Officer, Chief Security Officer) positions, full-time charge of security. At the same time, companies should be careful selection, the use of security and compliance better information tools.
Li Weiliang
People tend to think that the public cloud means unsafe, how do you view this issue?
Jason
Some people believe that the data still exists on your hard drive is the safest. In fact, only a single hard drive is the storage capabilities of the hardware, there sensitive documents the hard disk, once lost or damaged, it will cause data leakage or loss. Hard drive itself is not valuable, valuable files and data is confidential file loss or damage caused by the leak, how much money are irreparable.
In contrast, the use of cloud services Chambers of Commerce and more specialized storage equipment operation and maintenance services, and provides multiple data center backup, 24/7 technical support and guaranteed SLA. Select the security, compliance trusted cloud services, data security and user privacy will be better protected.
And then compared to the private cloud, public cloud service procurement and lower maintenance costs, users do not need to deploy any server locally, you can get a full set of modern service.
Li Weiliang
Thank you Jason for sharing!