With the promulgation and implementation of a series of laws and regulations such as the “Data Security Law”, the legal order system in my country’s cyberspace has been gradually improved, and cyber security has entered a new era. While promoting the development of critical information infrastructure and the digital economy, it is necessary to further enhance the ability to ensure data security and risk detection, to ensure that data security risks are under control, and are of great importance to the effective maintenance of national sovereignty, national security, and social development interests. significance.
1. Data security understanding and risk assessment requirements
(1) Understanding of data security
Article 3 of the “Data Security Law” provides a clear definition of data security, which refers to the adoption of necessary measures to ensure that data is in a state of effective protection and legal use, as well as the ability to ensure a continuous state of security. Combined with the definition, the connotation of the data security concept should be understood from both the broad and narrow perspectives.
Broadly speaking, when data security is an important strategic basic resource of the country, it is mainly based on the importance of data in economic and social development, and once it has been tampered with, destroyed, leaked, or illegally obtained or illegally used, it will affect national security and The degree of harm caused by the public interest or the legitimate rights and interests of individuals or organizations shall determine the definition of data security. In a narrow sense, data security refers to the security of the data itself and data processing activities, which mainly include the confidentiality, integrity and availability of the data itself, as well as the collection, storage, use, processing, transmission, provision, and disclosure of data processing activities. Security considerations in other links. The second is the security of the data support environment and protective measures, which mainly include active protective measures such as data carriers, protective equipment, encryption and decryption algorithms.
(2) Security risks faced by data
1. Data compliance security risks
Data security legal compliance has become the principle and bottom line for companies to process data, but most companies’ data security compliance system construction is still in its infancy, and there is no corresponding assessment mechanism for the risks caused by violations, and there may be potential Security risks such as data leakage, data loss, data tampering, and data abuse.
2. Critical information infrastructure data security risks
At present, critical information infrastructure operators (hereinafter referred to as “operators”) are seriously inadequate in the full life cycle protection of important data, and effective protection systems have not been established. Especially in terms of personal information protection, effective data anti-tampering and anti-leakage measures are not adopted. Once an attacker successfully obtains server permissions, he can steal, tamper with, and delete important data at will, causing a large area of sensitive information to be leaked. In addition, operators have flaws in data protection in the development, operation and maintenance of the supply chain, resulting in the system “online with illness”, forming an important breakthrough for attackers to steal data.
3. Data exit security risks
The cross-border flow of data is the only way to maximize the value of data. The export of data is an inevitable trend, and its security risks are also derived from it. The key to the risk of data export comes from the compliance risk of data export. Under the premise of stable development of outbound business, enterprises must ensure that there is no risk of outbound data that violates national regulations and standards, especially whether there is a risk of illegality before the data is out of the country, in the process of transmission, and the process of data landing, and the recipient after the data is out of the country. Whether there is a risk of data abuse in the protection of data, etc., are issues that need to be paid attention to.
(3) Data security risk assessment requirements
In order to understand the current domestic critical information infrastructure industry’s understanding and needs for data security risk assessment, the China Information Security Evaluation Center has been providing support for the country’s water conservancy, electricity, and energy resources in terms of the risks faced by data security, the focus on the direction of data security, and the types of data protection. Other industries have conducted actual research and sorted out the following common needs.
1. The legality assessment requirements after the promulgation of the data security law
The promulgation of the “Data Security Law” has given data not only the “value” attribute, but also the “legal” attribute. The survey results show that various industries clearly regard the legal compliance of data security as a key task for a period of time in the future, and business managers have begun to pay attention to the data security risks they face and how to achieve data security compliance. For business managers, the most urgent task at present is to conduct a comprehensive data security risk assessment to find out whether there are violations of laws and the gap with legal requirements, so as to provide a basis for data security construction and governance.
2. Evaluation requirements for critical information infrastructure data
The key information infrastructure operators’ requirements for data security assessment mainly include the following points. First, risk assessment is needed to promote the construction of data classification and classification systems and the implementation of key protection measures for operators to achieve key protection of important data and core data, clarify the scope of protection, and clarify protection responsibilities and protection subjects; second, it is necessary to pass risks Evaluate and identify potential security hazards that may lead to the theft, leakage, and destruction of important data, and reduce the adverse effects that may be caused if important data is attacked, especially important data and personal information related to national political security, economic security, and people’s livelihood security; 3. It is necessary to promote the improvement of the data security defense system through risk assessment, check whether the current data security protection measures are effective, whether the protection system can meet the current network security situation, and finally achieve “promoting construction by evaluation”, and improve the overall data security defense system the goal of.
3. Security assessment requirements for data outbound transmission
The main assessment requirements for outbound data are focused on: First, cross-border data transmission security assessment. According to the regulatory requirements, data sensitivity and data usage in different regions, data transmission, access, monitoring, tracking, and storage across technology stacks are required. To establish different technical control measures, and also need to have the ability to report and monitor to evaluate the effectiveness of its security protection measures; the second is to evaluate the compliance of outbound data to assess whether the company has established appropriate control measures to deal with cross-border issues. Whether the international data transmission and data localization meet the requirements of the above relevant domestic laws, so as to ultimately protect the data outbound business.
2. The overall framework of data security risk assessment
(1) Overall framework of data security risk assessment
In the context of the new era, data security risk assessment should also have the characteristics of the times. The development of data security risk assessment must be based on the “Data Security Law” as the fundamental starting point, based on the theoretical framework of cyber security risk assessment, and the content and indicators of risk assessment will focus on data as the core object, with the discovery of data security risks as the main Purpose. Data security risk assessment should not use a certain standard as a benchmark to set assessment items, nor can it be fixed in a fixed mode to carry out. The main reason is that data is a special type of assessment object and is dynamic. The security risks faced by the flow in the environment are also different. A comprehensive risk assessment should be carried out around the data assets, threats and vulnerabilities faced by the specific data objects being evaluated to find out the risks they face in the specific threat environment. The theory and model of risk assessment methods should be diverse and suitable for different environments and goals.
The data security risk assessment proposed in this article has its own unique perspectives and ideas. It focuses on solving a certain type of security needs. The main purpose is to discover major risks and major hidden dangers in the data security of the country’s critical information infrastructure industry. Conduct risk assessments on legal compliance, data processing, supporting environments, and cross-border flow of data in special scenarios. The main idea is to first sort out the business, clarify the data assets, and confirm the scope and importance of the data assets. This is the basis of risk assessment. Therefore, the key to data identification security is the identification of data assets. Second, when sorting out the risks of data processing activities, first consider whether there is a risk of illegal activities, and conduct legal compliance assessments in accordance with published laws and regulations. On the basis of satisfying legality, the risk assessment of data processing activities is carried out. On the one hand, it is the risk discovery of the data itself, and on the other hand, it is the risk discovery of the environment required to carry the data. In the risk discovery process, once the cross-border flow of data and data sovereignty risks are involved, the cross-border flow of data will be focused on the scenarios, and the risk assessment of the cross-border flow of data will be carried out to assess the data security risks in the process of cross-border data flow. . Data security risk assessment results can be used as an important reference basis for data security governance, supervision, auditing and evaluation.
Figure Data Security Risk Assessment Overall Framework
(2) Core content of data security risk assessment
1. Data recognition security assessment
Data identification is the basis of data security assessment. Through the identification of the data, the internal distribution of the data in the business system can be determined, how the data is accessed, the current data access account number and authorization status. Data identification can effectively solve the operator’s management of the data security status. Based on national and industry laws, regulations and standards, data identification usually includes business flow identification, data flow identification, data security responsibility identification, and data classification and classification identification.
2. Data security legal compliance assessment
Data security compliance with relevant legal requirements is the prerequisite and basis for all data processing activities, and it is also one of the most concerned security capabilities. Data security risk assessment cannot completely avoid the occurrence of data security risks, but it can reduce the occurrence of violations of laws and regulations. The core of the data security legal compliance assessment in this article is based on national and industry laws, regulations and standard requirements, focusing on evaluating the implementation of data security in relevant laws and regulations by operators and other data processors, including personal information protection, important Data exit security, network security review, cryptographic technology implementation, institutional personnel implementation, system construction, classification and classification, implementation of data security measures, and other laws and regulations, policy documents, and implementation of standards and regulations. The purpose of legal compliance assessment is not only to deal with risks, but also to identify gaps, drive the legalization of data security construction, and improve the data security governance system.
3. Data processing security assessment
The evaluation of data processing security is carried out around the collection, storage, use, processing, transmission, provision, and disclosure of data processing activities. The assessment is mainly for the standardization of data collection, the security of storage mechanism, the security of transmission, the security of processing and provision, and the standardization of openness during data processing.
4. Data environment security assessment
Data environment security refers to the environmental support for the entire life cycle of data, which can be reused in multiple life cycle links, mainly including environmental infrastructure such as hosts, networks, operating systems, databases, and storage media. The security assessment of the data support environment mainly includes communication environment security, storage environment security, computing environment security, supply chain security and platform security.
5. Security assessment of important data exit
The export of important data is a risk scenario that the data security risk assessment focuses on. If the assessed object includes the business of data export, a special assessment needs to be carried out according to this section, focusing on the assessment of the data export binding, supervision, and relief of the sender of the outbound data. Channels, as well as the subject qualifications of the recipients of outbound data and the performance of their commitments.
(3) Comprehensive judgment of data security risk assessment
The principle of risk analysis is to use asset identification, vulnerability identification and threat identification to calculate the severity of the loss caused by the threat and the probability of the security incident, and then use the severity of the loss and the probability of the incident to obtain the risk value. Finally, the risk level is assigned.
The method to analyze and determine the total risk of data is to consider the possibility of known threats to use the known vulnerabilities of data assets, and if such use occurs, the consequences or adverse effects (ie, the degree of harm), use threat and vulnerability information As well as the possibility and consequence/impact information qualitatively or quantitatively determine the data security risk. The analysis focuses on the “data life cycle” or “data application scenario”. The final assessment result is that a certain vulnerability of a certain asset is used under a certain business or threat scenario to cause certain damage, and the possibility of such damage How big it is, how big the impact will be after the damage, and then comprehensively evaluate how big the risk is.
1. Possibility analysis
Possibility refers to the probability that an attack event may lead to the loss of mission capability. The possibility determination should consider threat assumptions, that is, to clarify the types of threats that the data assets and supporting environment may face, such as network security threats, natural disasters or physical security threats; also consider the actual data security vulnerability information based on the business scenario, including the identified The vulnerability of the system, data or supporting environment; the possibility analysis should comprehensively consider the difficulty of successfully exploiting the vulnerability and combine it with the threat information, and determine the possibility of a successful attack in the risk assessment process in its actual application scenario.
2. Impact analysis
Impact analysis is a correlation analysis process, which is comprehensively considered by factors such as the system involved in the data, the value of the data, and the impact on the organization after the data is destroyed. To a large extent, impact analysis must combine the possibility of vulnerability being used by threats, as well as the judgment of the managers of the assessed unit on risk decision-making based on the business perspective, and finally decide whether to accept, avoid, mitigate, share or transfer the risk.
3. Risk conclusion
The conclusion of the data security risk assessment should cover three levels of risk. First, according to the nature and importance of the assessed organization or industry, a national organization or industry-level data security strategy risk report can be formed. The second is to form data security risk reports at the respective enterprise level in accordance with the mission and form of the key information infrastructure business. Third, based on the characteristics or scenarios of the data itself, a risk assessment report for key concerns such as system level, data level, or supply chain level is formed. The conclusion of the risk assessment should include the possibility and impact of potential data security breaches, the possibility of specific scenarios and specific data risks, as well as the effectiveness and gaps of the current existing data security protection measures, and then the data security of the assessed unit System construction, supporting environment construction, and overall data security planning are the basis for decision-making.
3. Recommendations for data security risk assessment
(1) There are gaps in the relevant standard system for data security risk assessment, and it needs to be established and improved as soon as possible to provide a basis
At present, the general methodology and standard system for data security risk assessment have not yet been established. It is urgent to propose data security risk assessment methods and formulate data security risk assessment standards to guide data security risk assessment activities to meet the current urgent needs for data security protection. It is recommended to fully learn from existing standards, focus on important industries and key areas of national key information infrastructure, and further refine specifications in key aspects of data security risk assessment, key business scenarios, key network products and services, etc., and propose data security Risk assessment implementation guidelines, propose data security risk assessment indicators, build and improve a data security risk assessment system, meet the urgent needs of current data security risk assessment methodology and assessment indicator construction, and further promote the implementation of data security policies and laws and regulations.
(2) It is difficult to identify and classify data assets, which urgently needs to be solved by industry authorities and enterprises themselves
The types of data assets of many enterprises are diversified, data carriers are widely distributed, and data sources are numerous, all of which cause difficulties in data identification and classification. Data assets have not been effectively identified, and data has not been scientifically classified and graded, making data security protection objects unclear, and data security protection requirements unclear, which in turn affects the effective development of data security risk assessment. Therefore, data identification, classification and grading are the top priority for data security protection and risk assessment. The construction of a top-down data classification and grading security protection system should be accelerated, and the industry’s important data characteristics and security protection requirements should be combined to accurately identify and clarify data. Core data, important data, and general data of various industries, especially those involved in critical information infrastructure. At the same time, promote the construction of a data classification and hierarchical security risk assessment system to provide security risk prevention guidance at the initial stage of the construction of data security protection measures, and to verify the effectiveness after the construction is completed, so that the idea of data security risk prevention runs through all aspects of data security governance .
(3) The healthy ecology of data security risk assessment has not yet been established, and the cooperation of all parties is required to help the ecological construction
Over the years, the blind spots in the cognition of the importance of data and data security have made many companies lack the necessary management of the data after collecting personal information and important data, and the number of data assets, the sensitivity and the specific distribution of their data are not clear enough. Accurate, even ignorant, and the corresponding data security protection capacity building is more lagging behind, the large environment for effective data security governance is far from being formed, and the healthy ecology of data security risk assessment has not yet been established. In the future, we need to take advantage of the “Data Security Law” to promote the construction of digital infrastructure, establish a healthy ecosystem for data security risk assessment, and establish a sound adaptation to artificial intelligence, the Internet of Everything, cross-industry, cross-border data specification and use to support big data Fundamental research on key risk assessment technologies. Research on basic methods of risk assessment and key technical equipment for key risk assessment, and establish a talent training system that meets the development needs of data security risk assessment. Maintain core data, important data security, and ensure national economic and financial security as the bottom line, form a working mechanism that combines data security risk discovery, risk issue accountability, and rectification effect assessment and evaluation, and further strengthen the closed-loop data security risk assessment work for ecological construction Provide support for decision-making.