First, Organization and Audience of Data Security Governance

Data governance or data security is a relatively familiar concept to most security professionals, but data security governance seems to be a new term. In fact, various enterprises with important data assets have more or less practice in data security governance, but it has not been systematically implemented. For example, customer data security management specifications and their配套管控 measures, as well as data classification and categorization management specifications. In this article, we hope to systematically elaborate on this concept.

First, Organization and Audience of Data Security Governance

Firstly, to govern data security, it is necessary to establish a special data security governance organization to clarify who is responsible for the long-term policy, implementation, and supervision of data security governance. This organization is usually a virtual organization, which can be called the Data Security Governance Committee or Data Security Governance Group, with members consisting of data stakeholders and experts. Its establishment marks the formal launch of the organization's data security governance work, making it possible to continuously improve the formulation of data security norms, introduction of data security technology, and construction of data security systems. After the establishment of this organization, it shall perform the following duties:

A. Formulation of Data Classification and Categorization Principles

B. Formulation of Data Security Usage (Management) Norms

C. Introduction of Data Security Governance Technology

D. Supervision and Enforcement of Data Security Usage Norms

E. Continuous Evolution of Data Security Governance

Second, Strategies and Processes of Data Security Governance

Data security governance is most importantly to implement the formulation of data security strategies and processes, which is often published as 'Some Data Security Management Specification' in the enterprise or industry. All workflow and technical support are formulated and implemented around this specification.

2.1 External Strategy to Follow

Data security governance also needs to follow national security policies and industry security policies. Examples are as follows:

1. Cybersecurity Law;
2. Level Protection Policy;
3. BMB17;
4. Examples of policy requirements related to the industry:

(a) PCI-DSS, Sarbanes-Oxley Act (SOX Act), HIPAA;

(b) Basic Norms for Enterprise Internal Control (three meetings, finance, audit);

(c) Temporary Regulations on the Protection of Commercial Secrets of Central Enterprises;

These policies are usually key external policy and regulatory references when formulating internal organizational policies.

2.2 Data Classification and Grading

Data governance is mainly classified according to the source, content, and purpose of data; sensitive level classification is conducted based on the value of data, the degree of content sensitivity, impact, and distribution range.

2.3 Data Asset Status Analysis

2.3.1 Data Usage Department and Role Analysis

In the data asset analysis, clarify how data is stored, which objects use the data, and how the data is used. For the storage and use of data and systems, automated tools need to be used; for the analysis of departments and personnel roles, more is reflected in management specification documents; for the analysis of data asset usage roles, it is crucial to clarify the division of labor, rights, and responsibilities of different audiences.

2.3.2 Data Storage and Distribution Analysis

To understand the control strategies that need to be implemented for what kind of database, it is necessary to be clear about the distribution of sensitive data; what kind of control measures should be implemented for the database operation and maintenance personnel; what kind of blurring strategy should be implemented for the data export of the database; what kind of encryption requirements should be implemented for the storage of the database data.

2.3.3 Data Usage Status Analysis

To accurately formulate access authority strategies and control measures for sensitive data of business system staff, it is necessary to clarify what business systems access the data.

Data Access Control

Complete the principles and control strategies for data usage from different aspects of data usage, including: account and permission management for data access, data usage process management, data sharing (extraction) management, and data storage management.

Regular audit strategies

Regular audits to ensure the implementation of data security governance standards, including:

A. Compliance Check;

B. Operation Supervision and Audit;

C. Risk Analysis and Discovery.

Third, Technical Support Framework for Data Security Governance

3.1 Technical Challenges in Data Security Governance

Data security governance faces three major challenges: data status analysis, sensitive data access and control, and data governance audit.

3.1.1 Challenges in Data Security Status Analysis Technology

The organization needs to determine the distribution of sensitive data within the system, the key issue being to clarify the distribution of sensitive data; determine how sensitive data is accessed, how to control sensitive data in terms of what systems, what users access it in what manner; determine the current account and authorization status, clarify, visualize, and report the access accounts and authorization status of sensitive data in databases and business systems, and clarify whether the current authority control has an appropriate foundation.

3.1.2 Challenges in Data Access Control Technology

In terms of sensitive data access and control technology, the following challenges are faced:

(1) How to effectively implement the approval of sensitive data access during the execution phase Approval systems must be established for the access to sensitive data and the download of batch data, which is crucial;

(2) How to defend against hacker technologies that break through control management Based on database permission control technology;

(3) How to achieve encryption at the storage layer while maintaining efficiency Encryption at the file and disk levels cannot be combined with the database's control system, which is ineffective for operations personnel.

(4) How to desensitize sensitive data while maintaining business logic for testing environments, development environments, and BI analysis environments. Sensitive data needs to be blurred in these environments.

(5) How to control the distribution after data extraction and distribution.

3.1.3 Challenges in auditing data security and risk discovery

1. How to track changes in accounts and permissions

Regular audits of account and permission changes are conducted to ensure that access to sensitive data is within the established strategy and specifications.

Comprehensive audit is the key to verify whether the strategies of data security governance are effectively implemented in daily operations. The

3. How to quickly detect and alert abnormal behaviors and potential risks

The key elements of data governance are to discover abnormal access behaviors and potential vulnerability problems existing in the system. How to model daily behavior is the key to quickly discovering abnormal and attack behaviors in massive data and avoiding system large-scale loss of control.

3.2 Technical support for data security governance

In response to the three major challenges of data security governance mentioned above, a technical support system for data security condition sorting, data access control, and data security audit is proposed.

3.2.1 Technical support for data security condition sorting

1. Static data sorting technology

Static sorting completes the information collection technology of the storage and distribution status of sensitive data, the vulnerability status of the data management system, and the security configuration status of the data management system.

2. Dynamic data sorting technology

Dynamic sorting technology achieves the sorting of access conditions of sensitive data within the system.

3. Visualization technology for data condition

Information sorted out by visualization technology and the sorting technology of static and dynamic assets is presented in a visual form, such as the access热度 of sensitive data, the distribution of assets within different departments or business systems within the organization, the account and permission diagram of the system, and the scope permission diagram of sensitive data:

The concept of data security governance requires the establishment of an organizational structure for data security governance to ensure that the work of data security governance can truly take root within the organization; secondly, complete the strategic documents and series of implementation documents for data security governance; thirdly, support the challenges through a series of data security technology support systems to ensure the effective implementation of data security management regulations.

The concept of data security governance requires the establishment of an organizational structure for data security governance to ensure that the work of data security governance can truly take root within the organization; secondly, complete the strategic documents and series of implementation documents for data security governance; thirdly, support the challenges through a series of data security technology support systems to ensure the effective implementation of data security management regulations.