The necessity of data security work
Data securityThis word is both very large and very small. Small to the point where almost everyone knows that data is important, it concerns everyone's privacy rights and property rights, and large to the point where data has become a new dimension affecting the competition and cooperation between countries and nations at the national and international levels.
At the present, with the rapid development of digitalization, enterprises are discussing scenarios such as the listing of data assets, innovative applications of data assets, valuation of data assets, and trading and circulation of data elements. All of these cannot be separated from the core 'data' of data elements. It is not only the core of enterprise operations but also the key to enterprise competitiveness. However, with the increasingly complex network environment, data security threats emerge in an endless stream. How to ensure the security, integrity, and availability of data, so that 'data' does not become a negative asset, has become an important challenge faced by enterprises.
Definition of data security work
Data security work refers to implementing a series of management and technical measures to ensure the confidentiality, integrity, and availability of data during storage, processing, and transmission. Its core goal is to protect data from unauthorized access, use, disclosure, destruction, modification, or loss.
Problems faced by data security work
The trend of industry compliance supervision is becoming stricter, and many places have successively carried out special inspections on data security. Under the requirements of the situation, it is mutually exclusive with how to have a reasonable and effective data security construction concept. Especially when the digital maturity and network security work have not reached the level, it is blind to carry out data security work. Commonly, it is to carry out full data classification and grading, output a large number of data service catalog files, but cannot be applied in business scenarios, cannot create business value, and fall into the habit of working for compliance.
Previous methods of data security work:
- Guiding data security work through Grade 2.0 compliance
As a baseline for compliance, data security is one of the core contents of the construction of Grade 2.0 protection. Under the condition that the requirements for data security in Grade 1.0 protection are basically unchanged, in accordance with the new network environment and business scenarios, there are more explicit requirements for the protection ability of data security, and for data auditing, access control, and encryption. There are also those that focus on defense, and evolve to an overall protection of pre-event, event, and post-event in Grade 2.0 protection. It is not only necessary to do a good job in auditing, but also to trace the source when problems arise.
The following selects requirements related to data security, and compares the differences to see if the current data security work content has been covered:
Based on the control points of Grade 2.0 protection, as can be seen from the above figure, it can be roughly divided into four layers, mainly:
Discover the response layer: through security devices or security components, control can be achieved as a technical means; the key can be realized by setting up a fortress machine and an independent management network.
Analysis layer: through IDS and situation awareness, gather, identify, associate analyze, and alarm security events;
Hot data (buffer layer): mainly provide effective and available data formats;
Management level: Display based on security control scenarios, providing support for decision-making.
From the data security management system, technical tools are just the means of implementation, organizational construction, system of institutions, and personnel's awareness and ability are the basic guarantees. These guarantees are mapped to each stage of data lifecycle management to ensure the achievement of data security work goals.
The current way of carrying out data security work:
At present, data security work is not only based on the level protection system of the Cybersecurity Law, but also needs to take into account other regulations such as the Data Security Law, the Personal Information Protection Law, the Cryptography Law, and other management regulations.
From the perspective of enterprises, the trend and change of the implementation of data security work has also occurred, summarized as follows:
- With the deepening of digital transformation, enterprises that already have basic conditions for data security construction expect to reflect value and effectiveness, and are moredeeply focus on the identification of behavior visibility and data flow risks in data usage activities.
- Internal and external pressures make users pay more attention torisk management, the difficulty of directly implementing the data security system also makesusers and regulatory authoritiesPay more attention toDiscover risks and遏制 risks
- Data security compliance assessmentsuch as data security inspections, data security risk assessments, cross-border data assessments, and compliance补齐 construction, have been clearly put on the agenda
- Many users who have not started data security construction in the past have changed from previous attitudes of observation and hesitationGradually enter the stage of investigation, evaluation, and finding application scenarios
- Reserve and start the training capabilities for data asset valuation, data asset innovative applications, data element trading and circulation, and other data value scenarios such as data asset listing.
Especially the fifth item, which is the main form of value creation of data assets indirectly or directly, and also the main抓手 driving data security work.
How to carry out data security work in a scientific manner
Through the practice of several data security work projects for national central enterprises, finance, medical and health care, and government public welfare data, an overall framework and roadmap for the implementation of data security work is abstracted.
- Construction of data security management system
A sound organizational structure, complete data security systems and processes, are the first step in ensuring data security. Data security is also known as a 'top leader project'. Only when leaders pay attention and the data security management system is established, will data security be gradually constructed.
- Construction of data security technical system
Based on the full lifecycle of data, construction is carried out from six stages: data collection, data storage, data transmission, data processing, data exchange, and data destruction. A comprehensive analysis of the risks at each stage is conducted, and data security technical means are formulated to address the risks according to the trends at each stage.
- Construction of data security operational system
Only with management and products, without an operational system, the construction of data security is merely talk. Only by building an operational system and better testing the effectiveness of data security management and the role of the data security technical system can we comprehensively build data security.
The next topic is: Too abstract to do data security work? Share a business practice (Part Two), sharing with everyone the milestones and specific work of the above figure.
If the feedback is good, I will continue to share this series, sharing the pitfalls encountered and the interesting things in the process of service implementation.
Also hope to get to know more friends who are engaged in this field of work, and discuss together how to achieve value in data security work. Welcome to private message for contact information exchange.
评论已关闭