As the methodology of data security building, "Data Security Governance White Paper" 2.0 update after a complete upgrade heavy release. The white paper prepared by the Governance Committee of China's network security data security and information technology industries Union (Governance Committee data security), ed., Data security system at home and abroad to explore the situation and market trends, standards and frameworks, and brought together a number of industry benchmarking data security governance practices, for data security building for the government and enterprises to provide overall thinking and planning, providing data security solutions and case management as a whole has a reference value of practice for the design and construction of data security implementers.
"Data Security Governance White Paper" Version 2.0 Revision Notes
"Data security governance white paper" version 2.0, a revision and improvement for the following:
1, an increase of anti-extortion database technology, database analysis for blackmail, extortion also proposed anti-technology;
2, increase the collection of personal information and privacy policy evaluation report related to interpretation;
3, at home and abroad Data Security Event Summary Update to 2019;
4, increase data security regulations and standard list of instructions;
5, data security policy and external governance to be followed by an increase in personal information security management practices, banking financial institution data governance guidelines;
6, Appendix C Data Security, Ministry of Education data governance practices to increase security governance practices, the city government cloud data governance practices, safety data governance practices National Grid, three new industry practices;
7, Appendix D of important data at home and abroad to increase security events include Marriott's 500 million users of data leakage or virus extortion and Oracle Rushql events;
8, transparent data encryption techniques to increase;
9, increasing the anti-extortion database technology;
10, full-text content of text and paragraph structure optimization.
"Data Security Governance White Paper" 2.0 Lite
1, data security requires systematic thinking of building construction
1.1, data security has become the core issue of security
Looking back at the past twenty years, the government and the degree of information technology companies continue to deepen, complexity and openness of IT systems increase as a result; the rapid development of emerging technologies associated with cloud computing, big data and artificial intelligence, data such as support production and development of cutting-edge technology exists, has become the core assets of the organization, unprecedented attention and protection. Data security issues will lead to security issues and corporate social decision-making. Data security issues, has become a corporate asset security, the core issue of personal privacy, national and social security.
1.2, data leakage path diversification
Over the past few years, large-scale data breaches after another, on data breaches analysis, both of *** ***, the more information the sale of house staff, former employees leaked information, transactions of third-party outsourcers , data sharing third-party data leakage, illegal developers and other testers.
These are all complex ways in leak proof: the traditional network security building there are significant security flaws in order to resist *** centric, *** for the defense and security system objects policy, traditional network security to data center needs security policy-centric change.
1.3, data security regulations and standards outbreak
Security incident after another, business assets and national security challenges, large-scale leak of personal privacy in the era of highly developed data, which has brought great challenges to stability, individual freedom and security of societies. Therefore, all countries have issued a number of regulations, individuals, businesses and countries to protect important data.
1.4, data security requires a systematic thinking and building construction framework
As the importance of data security upgrade, users invest in this direction has also increased, according to the KVB Research2017年大数据安全报告预测显示, big data secure global investment in 2017 reached 10.2 billion US dollars, and 17% in compound annual growth rate in the expansion, to 2023 will reach 30.9 billion US dollars, which is 200 billion yuan.
(KVB Research on the market forecast of big data security)
But in our country with the introduction of network security methods, data asset value is confirmed, government agencies and enterprises to invest in this direction is also increasing, data auditing, and encryption for desensitization target data security is becoming a hot investment procurement .
Data security management thinking of the technical data security and data security management together, multi-role multi-sectoral demands of integrated services, security, network, etc., summarized ideas and methods for systematic.
2, the basic concept of data security governance
Gartner exclusive domain of this study on data security governance principles and framework, international research institutions, large enterprises Microsoft data privacy compliance from the perspective of the market had also raised privacy, confidentiality and compliance data governance program. From an international perspective the basis of this understanding, we present a data security governance in Chinese philosophy and technical route, the idea to fill the gaps in China more effectively contribute to the achievement of the implementation of the concept of landing in the country.
2.1 Data Security Governance Overview
Data security governance is to "make data safer" for the purpose of building security system methodology, core content include:
(1)满足数据安全保护(Protection)、合规性(Compliance)、敏感数据管理(Sensitive)三个需求目标;
(2)核心理念包括:分级分类(Classfiying)、角色授权(Privilege)、场景化安全(Scene);
(3)数据安全治理的建设步骤包括:组织构建、资产梳理、策略制定、过程控制、行为稽核和持续改善;
(4)核心实现框架为数据安全人员组织(Person)、数据安全使用的策略和流程(Policy & Process)、数据安全技术支撑(Technology)三大部分。
2.2、数据安全治理建设与演进模型
为了有效地实践数据安全治理过程,我们需要一个系统化的过程完成数据安全治理的建设
数据安全治理建设体系
组织构建:在数据安全治理中,首要任务是成立专门的安全治理团队,保证数据安全治理工作能够长期持续的得以执行;
资产梳理:在队伍构建后,重要的是对企业中的数据资产进行盘点;
策略制订:根据梳理的情况,要对数据进行分级分类,要对人员进行角色划分,要对角色对数据使用的场景进行限定,要对这些场景下的安全策略和措施进行规定;
过程控制:不同的角色团队,要在日常的管理、业务执行和运维工作中,将相关的流程规定落地执行,要采用相对应的数据安全支撑工具,在办公和运维的过程中将这些工具进行融入;
行为稽核:要对数据的访问过程进行审计,看在当前的安全策略有效执行的情况下,是否还有潜在的安全风险;
持续改善:对当前的数据资产情况进行进一步的梳理,改组当前的数据安全组织结构,修订当前企业的数据安全策略和规范,持续保证安全策略的落地。
3、数据安全治理的组织建设
数据安全治理首先要成立专门的数据安全治理机构,以明确数据安全治理的政策、落实和监督由谁长期负责,以确保数据安全治理的有效落实。
某运营商的数据安全治理的相关组织和角色结构图
(注:深色是部门,浅色是角色,结构中覆盖了业务、安全、运维和企业的相关管理支撑部门)
4、数据安全治理规范制定
在整个数据安全治理的过程中,最为重要的是实现数据安全策略和流程的制定,在企业或行业内经常被作为《某某数据安全管理规范》进行发布,所有的工作流程和技术支撑都是围绕着此规范来制定和落实。
5、数据安全治理技术支撑框架
5.1、数据安全治理的技术挑战
实施数据安全治理的组织,一般都具有较为发达和完善的信息化水平,数据资产庞大,涉及的数据使用方式多样化,数据使用角色繁杂,数据共享和分析的需求刚性,要满足数据有效使用的同时保证数据使用的安全性,需要极强的技术支撑。
数据安全治理面临数据状况梳理、敏感数据访问与管控、数据治理稽核三大挑战。
当前数据安全治理面临的挑战
5.2、数据安全治理的技术支撑
5.2.1数据资产梳理的技术支撑
数据安全治理,始于数据资产梳理。数据资产梳理是数据库安全治理的基础,通过对数据资产的梳理,可以确定敏感数据在系统内部的分布、确定敏感数据是如何被访问的、确定当前的账号和授权的状况。根据本单位的数据价值和特征,梳理出本单位的核心数据资产,对其分级分类,在此基础之上针对数据的安全管理才能确定更加精细的措施。
(1)静态梳理技术
(2)动态梳理技术
(3)数据状况的可视化呈现技术
(4)数据资产存储系统的安全现状评估
5.2.2数据使用安全控制
数据在使用过程中,按照数据流动性以及使用需求划分,将会面临如下使用场景:
●通过业务系统访问数据
●在数据库运维时调整数据
●开发测试时使用数据
●BI分析时使用数据
●面向外界分发数据
●内部高权限人员使用数据
在数据使用的各个环节中,需要通过技术手段将各个场景下的安全风险有效规避。
5.2.3数据安全审计与稽核
数据的安全审计和稽核机制由四个环节组成,分别是行为审计与分析、权限变化监控、异常行为分析、建立安全基线。
6、数据安全治理的发展展望
Gartner预测,到2021年,将有超过30%的企业开始实施执行数据安全治理框架。到2022年,90%的企业战略将明确数据作为关键企业资产,数据分析作为必不可少的能力。30%的CDO(首席数字官)将与CFO(首席财务官)正式对组织的数据资产价值进行评估,以改善数据的管理和收益。超过30%的企业(目前不到5%)将使用其数据资产的财务风险评估来对IT、分析、安全和隐私的投资选择进行优先级排序。
数据安全治理产业,大体可以分为大型数据中心用户、安全治理咨询服务商、技术产品 供应商、技术方案提供商;当前在中国这样的产业链环境正在形成,通过这些产业链的构建,将为数据安全治理的落地提供保障。
数据使用带来的财务影响,Gartner最新通过信息经济学模型来评估,即财务数据风险评估(FinDRA)模型。信息经济学作为一个重要的工具,可以使安全和风险管理(SRM)领导者,首席信息安全官(CISO),首席数据官(CDO)和CIO,根据收入机会评估每个数据集。信息经济学模型还允许他们对管理、存储、分析和保护数据的有形和无形成本进行评估。财务数据风险评估(FinDRA)模型如图所示:
财务数据风险评估流程
这意味着需要仔细评估不同金融负债的业务风险,无论是数据货币化产生的短期还是长期影响。该研究将描述如何评估潜在负债的规模并根据影响确定优先级。需要注意的是,财务风险评估是更广泛的数字风险评估视图的一部分。
7、附录
附件A 词汇列表
附件B 国际数据安全治理理论
附件C 数据安全治理实践
附件D 数据安全生态环境
附件E 数据安全成熟度模型
附件F 数据安全治理重要相关技术
扫描二维码
获取白皮书完整版