Data is a symbol or a combination of symbols that records the nature and state of objective things based on their relationship. The essence of data is to complete records through production, processing, transmission and other links in the continuous activity process, and continuously guide the continuous development of business activities. Therefore, the value of data is fully reflected in the secondary process, and the transmission interaction and Use is a concentrated expression of the value of data. Data security is built on the basis of value, achieving accurate data recording while completing secure interaction and processing and accessing the designated objects, preventing data from being destroyed, misappropriated and unauthorized access. Data security capability refers to a series of activities taken by organizations in security planning, security management, security technology, and security operations in order to ensure the confidentiality, integrity, and availability of data during the flow of data.
2. The driving force of data security capacity building
2.1 Compliance Drive
The EU officially implemented the “General Data Protection Regulation” (GDPR), setting off a wave of reforms in personal data protection legislation.
2.2 Business Drive
With the rapid development of emerging technologies such as cloud computing, big data, and artificial intelligence, data, as the means of production that supports the existence and development of these cutting-edge technologies, has become the core asset of the organization and has received unprecedented attention and protection. Data becomes an asset and infrastructure, and data-driven business becomes the biggest source of innovation for new business development. Data-centric security governance needs to focus on the security of the data itself, and build security capabilities around the life cycle of the data, including the security status of related systems in each link, specific data security products and strategies for each link, security operations, systems and Management system design, professional capacity building, etc.
The data life cycle refers to the entire process of data from creation to destruction, including collection, storage, processing, application, flow, and destruction. Through targeted risk analysis at each stage of the data life cycle, we can get:
The main risks in the collection phase are concentrated in the collection source, collection terminal, and collection process, including unauthorized collection in the collection phase, unclear data classification and classification, unclear identification of sensitive data, lack of fine-grained access control during collection, and inability to track data. This traceability, the risk of leakage of collected sensitive data, the security of the collection terminal, and the post-audit of the collection process, etc.
The storage stage is faced with the requirements of unclear data classification and classification, the confidentiality of important data, and the lack of fine-grained access control for important data.
The transmission phase mainly refers to the data transmission between various business platforms, between various nodes, between various components, and across organizations. The main risk is that there is a leakage problem during transmission.
The security risks faced by the processing brief include the lack of access control during data processing, the lack of control over the access interface of data results, the lack of sensitive data protection measures for data processing results, and the lack of security audit and data traceability capabilities.
The data exchange stage mainly refers to the data that is finally provided to other business systems and users for use. At this time, data security risks mainly include data exchange and unauthorized output and exchange during data output, and the output data may be leaked safely in the application or terminal.
The destruction phase mainly refers to the clearing or destruction of user data after obtaining the user’s authorization or request.
3. Thoughts on data security capability building
3.1 Data security capacity building goals
After analyzing the challenges faced by data security at the compliance level, business level, and risk level, combining the organization’s data security goals and vision, and integrating the needs of business, management, technology, and operations, we focus on data security with data as the core Life cycle, plan and design a global and open data security system, improve data security management integration capabilities, consolidate the data security technology chassis, build data security operation scenarios, and realize the visibility of organizational data assets, traceability of data, and data risk. Control and data threats can be managed.
3.2 Thoughts on Data Security Capacity Building
With the enrichment and expansion of the organization’s business, the data becomes more diverse and larger, and the corresponding data security issues become more and more complex. It is difficult to use one or two technologies alone; in addition, data security is not only a technical issue, but also involves laws and regulations, standard procedures, personnel management and other issues. Therefore, a scientific data security practice system is very necessary for organizations. In recent years, some security-related organizations have put forward data security practices, methodology, and solutions. It is mainly divided into two categories: one is the “top-down” data security governance system; the other is the data security capability maturity model system.
Data Security Governance (DSG) was first proposed by Gartner at the 2017 Security and Risk Management Summit. It is further improved at GartnerSummit2019. Gartner believes that data security governance is a complete chain that runs through the entire organizational structure from top to bottom, from the decision-making level to the technical level, from the management system to the tool support. All levels of the organization need to reach a consensus on the goals of data security governance, and ensure that reasonable and appropriate measures are taken to protect digital assets in the most effective way. Its security governance framework is shown in the figure below, which is divided into 5 steps, “from top to bottom”, from balancing business needs, risks, compliance, and threats to implementing security products, and configuring strategies for product protection.
The Data Security Maturity Model (DSMM) is a systematic framework in the construction of data security. It focuses on the life cycle of data, and combines business needs and regulatory requirements. Improve the overall data security capabilities of the organization to form a data-centric security framework.
3.3 Data Security Capacity Building Framework
Data security capacity building is not the construction of a single product or platform, but the construction of a data security system that covers all data usage scenarios. Therefore, it needs to be gradually completed step by step. Data security capacity building is not a project, but more like a project. In order to effectively practice data security capabilities and form a closed loop of data security, we need a systematic data security capability building framework.
On the whole, the data security capability building framework is based on the regulatory requirements of laws and regulations and business development needs as input. On the basis of fully identifying the organization’s business scenarios and risk status, the organization data classification and grading standards are formulated, and the organization data security is in the management. The capability requirements of, technology and operation dimensions meet the security of each process area of the data life cycle. The following outlines the framework design of the four capacity dimensions:
Planning capability dimension
Data security ultimately serves the business development of the organization and cannot be separated from the business or exist independently. On the premise of meeting the requirements of laws and regulations, data security capacity building must be carried out in line with the needs of business development. At the same time, combined with risk management, data classification and classification standards must be formulated to provide guidance for management, technical, and operational capacity building.
Management capability dimension
Organizational construction: refers to the establishment of a data security organization’s structure, assignment of responsibilities, and communication and collaboration. The organization can be divided into three layers: decision-making layer, management layer and executive layer. Among them, the decision-making layer is composed of executives and data security officers who participate in business development decisions, formulating data security goals and visions, and making a good balance between business development and data security; management is the core entity department and business of data security The department management team is responsible for formulating data security strategies and plans, as well as specific management specifications; the executive layer is composed of data security-related operations, technology, and various business department interface personnel, responsible for ensuring the implementation of data security work.
System process: refers to the construction and implementation of specific data security management systems, including data security policies and general guidelines, data security management specifications, data security operation guidelines and work instructions, and related templates and forms.
Personnel ability: refers to the ability of personnel to realize the construction and implementation of the above organization, system and technical tools. Core capabilities include data security management capabilities, data security operations capabilities, data security technical capabilities, and data security compliance capabilities. According to different data security capacity building dimensions, different personnel ability requirements are matched.
Technical capability dimension
Data security technical capacity building work does not start from scratch, but is based on the organization’s infrastructure security construction, focusing on the various requirements of data security lifecycle security, and establishing technologies and tools that are compatible with the system and process and ensure effective implementation. It is recommended to use standard data security products or platforms, or self-developed components or tools. All life cycle process areas need to be integrated for overall planning and implementation, and must be connected with the organization’s business systems and information systems. At the same time, data security technical capabilities need to support the execution and monitoring of operational capabilities to ensure data security requirements in various scenarios covering data usage.
Operational capability dimension
Data security capacity building is a long-term continuous process. It is necessary to continuously implement data security related systems and processes within the organization, and continuously adjust and optimize based on the organization’s business changes and technological development. Security is also a continuous spiral process. , Through continuous monitoring of security risks in the data life cycle, assess the effectiveness of the organization’s existing data security control measures for identification and judgment, and implement data security strategies, regulations and technical tools within the organization through the promotion of security operations capabilities .
4. Data security planning capacity building
4.1 Business scenario recognition
Identifying business data usage scenarios is the starting point for data security capability building. Business data scenario identification is based on the data life cycle, through data collection scenarios, data storage scenarios, data transmission scenarios, data processing scenarios, data usage scenarios, and data destruction Scenario analysis, sorting out requirements for assets, data, users, and permissions, and guiding the construction of various capacity dimensions. Realize the implementation of the safety technology, management, and operation capabilities in a scenario-based way.
4.2 Data risk assessment
Data security risk assessment starts from the identification results of business scenarios, with sensitive data as the center, data life cycle as the main line, and sensitive data scenarios as the focus, focusing on sensitive data scenarios, business processes that carry sensitive data, sensitive data circulation, and corresponding businesses All types of business executives and permissions involved in the activities analyze and evaluate data security threats and risks such as elevation of permissions, information leakage, fraudulent use of users, data tampering, and behavioral denial in related business processing activities.
Data security risk assessment process:
Background establishment stage: Determine the object and scope of data security risk assessment, conduct investigation and analysis of relevant information on databases, servers, and documents involving business data, and prepare for the implementation of data risk management.
Risk assessment stage: Identify data assets according to the scope of data security risk assessment, analyze the threats and vulnerabilities faced by business system data, and use data security control measures to conduct technical, management and operational aspects of the risks faced by business system data Comprehensive judgment, and rank the risk assessment results.
Risk processing stage: Comprehensively consider the cost of risk control and the impact of risks, analyze the security requirements of business system data from the technical, management, and operation and maintenance levels, and propose practical data security measures. Clarify the acceptable risk level of business system data, and adopt control measures such as acceptance, reduction, evasion, or transfer.
Approval and supervision stage: including decision-making and continuous supervision. Based on the evaluation results and processing measures, it is judged whether the data security requirements can be met, the decision-making level decides whether to recognize the risk, and continuously monitors changes in the business data-related environment.
Monitoring, auditing, communication and consultation run through the above basic steps to track changes in the security requirements of business systems and business data, and effectively control the process and cost of data security risk management activities.
4.3 Data classification and classification
The data classification level is a key part of data security capacity building. It is the basis for establishing a unified, accurate, and complete data architecture, and the basis for achieving centralized, professional, and standardized data management. Data classification and classification can clarify data assets comprehensively and clearly, determine the data security protection strategies and control measures that should be adopted, and promote open data sharing on the basis of ensuring data security.
Data classification is to merge data with a certain common attribute or characteristic, and distinguish the data through the attribute or characteristic of its category. In other words, the information of the same content, the same nature, and the information that requires unified management are combined, and the different and the information that needs to be managed separately are distinguished, and then the relationship between the various modules is determined to form an orderly Classification system. Data classification should be based on the principles of systemicity, normativeness, stability, clarity, and scalability, and comprehensively consider the attributes and category characteristics of the data in each business scenario. For example, the organization’s various data are divided into organization management data, business operation data, network and IT system operation and maintenance data, and partner data.
After the classification of the data is completed, the sensitivity of the data is required to classify the data. The data classification should comply with the principle of compliance, enforceability, timeliness, autonomy, rationality, and objectivity. For example, based on data Sensitivity level, data can be divided into four levels: extremely sensitive, sensitive, relatively sensitive, and low sensitive.
Corresponding to data classification, it can form an organization’s data classification and grading standard, combining various scenarios in the data life cycle, sorting out data assets, discovering and sorting out sensitive data, fully understanding the data distribution base, formulating corresponding system specifications and adopting technical tools to match The security management and control of the organization’s data is carried out to achieve the goal of data security capacity building.