国家互联网信息办公室在今年5月发布了《数字中国发展报告(2022年)》,报告中显示我国去年的数据产量达8.1ZB,同比增长22.7%,全球占比10.5%,位居世界第二。在2020年4月中共中央、国务院发布了《关于构建更加完善的要素市场化配置体制机制的意见》,“数据”作为一种新的生产要素首次写入了中央文件中。我国成为全球第一个(在国家政策层面)将数据确立为生产要素的国家。海量数据带来的安全问题,给公民个人权益、产业健康发展甚至国家安全带来诸多风险,随着数据安全上升到国家安全层面和国家战略层面,数据的分类分级也就成为了企业数据安全治理的必选题。本文对数据分类分级相关资料进行了整合和梳理,并提供了企业数据分级分类的推进路径,希望能为大家提供参考。
一、为什么要做数据分类分级
1. 满足法律合规要求
我国多部法律规定了数据分类分级的要求,2017年发布的《网络安全法》提出网络运营者应当采取数据分类的安全保护措施,2021年发布的《数据安全法》确立了数据安全管理制度。《数据安全法》第二十一条规定:“国家建立数据分类分级保护制度,根据数据在经济社会发展中的重要程度,以及一旦遭到篡改、破坏、泄露或者非法获取、非法利用,对国家安全、公共利益或者个人、组织合法权益造成的危害程度,对数据实行分类分级保护。”明确了数据分类分级的依据是数据的重要程度以及数据安全性遭到破坏时的危害程度,同时还提出加强对重要数据的保护,对于核心数据实行更加严格的管理制度。
《网络数据安全管理条例(征求意见稿)》进一步明确了国家将数据分为三级,分别是一般数据、重要数据和核心数据,对于不同级别的数据采取不同的保护措施。同时条例还规定了对个人信息和重要数据进行重点保护,对核心数据实行更加严格的保护。 数字化转型网www.szhzxw.cn
此外,《个人信息保护法》第五十一条也要求个人信息的处理者对个人信息进行分类管理,同时《个人信息保护法》对于敏感个人信息提出了更严格的要求,目的是实施不同程度的保护。因此,分类分级是数据合规的必要内容。
2. 降低数据安全风险
数据经过分类分级之后,企业可以科学合理地划分资源,配套相应的安全风险控制措施,在释放数据资源价值的同时,保护数据安全和个人隐私。
通过识别出组织内重要敏感数据,掌握组织敏感数据资产分类、分级、分布情况及各类数据的使用场景。进而可以制定有效的防护措施,平衡数据流动创造价值与数据安全的矛盾,降低企业开展业务的安全风险。最后实现数据资产精细化管控,有效监控敏感数据的动态流向,使数据使用、数据共享行为“可见可控”。 数字化转型网www.szhzxw.cn
3. 满足自身业务需求
数据资产清单是数据治理的基础,提升数据质量能够帮助业务部门、在涉及数据处理活动业务场景、制定更为合理的策略,提升业务运营能力、为组织提供精准的数据服务,促使组织业务良性持续发展。而且,数据资产的精细化管理必将成为企业业务优化的发力点或突破点,也是企业竞争力之一。
二、什么是数据分类分级
根据《GB/T 38667-2020 信息技术-大数据-数据分类指南》的定义,数据分类是根据数据的属性或特征,按照一定的原则和方法进行区分和归类,以便更好地管理和使用数据。数据分类不存在唯一的分类方式,会依据企业的管理目标、保护措施、分类维度等形成多种不同的分类体系。
数据分类是数据资产管理的第一步。不论是对数据资产进行编目、标准化,还是数据的确权、管理,或是提供数据资产服务,进行有效的数据分类都是其首要任务。数据分类更多是从业务角度或数据管理的方向考量的,包括行业维度、业务领域维度、数据来源维度、共享维度、数据开放维度等。同时,根据这些维度,将具有相同属性或特征的数据,按照一定的原则和方法进行归类。
数据分级则是按数据的重要性和影响程度区分等级,确保数据得到与其重要性和影响程度相适应的级别保护。影响对象一般是三类对象,分别是国家安全和社会公共利益、企业利益(包括业务影响、财务影响、声誉影响)、用户利益(用户财产、声誉、生活状态、生理和心理影响)。
企业建议选取影响程度中的最高影响等级为该数据对象的重要敏感程度。同时,数据定级可根据数据的变化进行升级或降级,例如包括数据内容发生变化、数据汇聚融合、国家或行业主管要求等情况引起的数据升降级。数据分级本质上就是数据敏感维度的数据分类。 数字化转型网www.szhzxw.cn
任何时候,数据的定级都离不开数据的分类。因此,在数据安全治理或数据资产管理领域都是将数据的分类和分级放在一起,统称为数据分类分级。
目前,诸如金融、工业、电信、医疗和汽车等行业均已出台了针对性的数据分类分级指南或技术规范(政府行业标准以地标为主,暂未列出)。
以金融行业为例,金融领域的数据分类分级方法主要体现在《金融数据安全 数据安全分级指南》(JR/T0197—2020)和《证券期货业数据分类分级指引》(JR/T0158-2018)中,其中前者将数据分成客户数据、业务数据、经营管理数据三类,客户数据又分为个人客户和单位客户,业务数据则根据不同的业务线再做细分,经营管理数据包括营销服务、运营管理、技术管理、综合管理(员工、财务、行政、机构信息)等(如下表所示)。 数字化转型网www.szhzxw.cn
其中需要特别提出的是,数据的分级并不一定要很复杂,事实上,最佳的数据分级实践是将数据按照敏感程度或受影响的程度划分成3~5个等级即可,当企业使用过于复杂或太过随意的数据分级方法时,往往会使数据管理陷入越来越混乱的境地。
三、数据分类分级的原则和流程
企业开展数据分类分级工作通常遵循以下原则:
科学性原则:应按照数据多维度特征和逻辑关联进行科学系统化的分类,且分类规则相对稳定,不宜经常变更; 数字化转型网www.szhzxw.cn
适用性原则:不应设置无意义的类目或级别,分类分级结果应符合普遍认知;
灵活性原则:各部门在归集和共享数据前,应按照业务所需完成数据分类分级工作;
就高从严原则:数据分级时采用就高不就低的原则进行定级,例如数据集包含多个级别的数据项,按照数据项的最高级别对数据集进行定级;
动态调整原则:数据的类别级别可能因时间变化、政策变化、安全事件发生、不同业务场景的敏感性变化或相关行业规则不同而发生改变,因此需要对数据分类分级进行定期审核并及时调整。
最小影响原则:分类分级工作应尽可能小的影响系统的正常运行,不能对正在的运行和业务的正常提供产生影响;
保密原则:对实施中的接触到的客户方的资料、过程数据和结果严格保密,未经授权不得泄露任何给任何单位和个人,不得利用此数据进行任何侵害客户方信息安全的行为。
关于企业数据分类分级的一般流程,在多份标准文件中均有涉及,也大致相似,如包括确定数据安全项目组、梳理数据资产、确定标准和原则、进行数据分类、划定安全级别、制定数据安全防护策略等(具体实施步骤如下图所示)。 数字化转型网www.szhzxw.cn
四、企业如何落地数据分类分级
上文已提到企业数据分类分级的一般流程,本节针对流程中所涉及的技术实施部分,针对重点内容进一步展开。
1. 盘资产(数据资产梳理)
数据资产是数据分类分级的基础,在进行分类分级时,需要对企业内的资产进行梳理和盘点,形成资产清单。数据分类分级是一个长期的过程,清晰的资产清单有助于企业做好分类分级实施规划。
使用数据资产安全管理平台可以自动对企业的结构化、非结构化数据源进行拉网式清查盘点,以资产目录的方式绘制数据资产地图,直观、形象地描绘数据资产的分布、数量、大小、归属等详细信息,帮助企业摸清组织内部的数据资产家底。 数字化转型网www.szhzxw.cn
2. 定标准(制定分类分级方法和策略)
企业在对数据进行分类分级之前,需要先制定分类分级标准规范。目前,国家已经颁布的分类分级标准有针对个人信息的GB/T 35273-2020 《信息安全技术个人信息安全规范》;同时,各行业、组织也已经推出了数据分类分级的实施指南,例如 JR/T0158-2018《证券期货业数据分类分级指引》、JR/T0197—2020《金融数据安全 数据安全分级指南》、YDT3813-2021《基础电信企业数据分类分级方法》等。
企业可以参考上述分类分级的实施指南,结合企业自身的业务、管理、数据保护等需求,制定企业使用的分类分级标准(下图以金融行业为例)。
3. 打标签(工具自动识别及人工核验)
打标签是指对数据资产打上数据分类和数据分级的标签。企业可以通过数据内容、数据属性、数据来源、数据上下文等信息来确认数据资产的数据分类和数据分级。
数据资产安全管理平台内置丰富的通用数据特征库和行业规则库,支持通过机器学习、正则、指纹、关键字、数据字典等多种技术,自动化完成数据的分类分级。然后经过人工核验的流程,针对客户实际情况和需求进行规则微调,从而从根本上保证了数据打标的正确率。保存规则和配置后,后续的新的业务数据进入系统即可实现全自动化的分类分级打标工作。 数字化转型网www.szhzxw.cn
4. 做管控(根据分类分级结果制定安全防护策略)
数据资产安全管理平台能帮助组织全面、深度、系统地梳理组织内部的数据资产现状,发现和定位敏感数据,自动化地完成分类分级,形成数据资产目录,有助于用户构建数据安全防护体系,针对不同类别和密级的数据,采取不同的数据安全保护策略。同时,通过标准化API接口,平台可对外输出数据资产的分类分级信息,与数据安全技术工具(例如数据加密、数据脱敏、水印、防火墙等)进行深度联动,在关键业务场景和节点上,制定精细化的、有针对性的数据安全策略管控,从而全面实现数据保护,防止数据泄露。
五、结束语
数据分类分级是企业数据安全治理的基础环节,也是企业平衡数据保护与数据流通的重要手段,通过对敏感数据的分级,提升数据的安全性,降低企业的合规性风险。数据分类分级不仅能够确保具有较低信任级别的用户无法访问敏感数据以保护重要的数据资产,也能够避免对不重要的数据采取过多不必要的安全措施。数据分类分级还可以助力提升企业运营效力,基于业务角度的数据分类可以更好地满足业务的使用和数据资产的管理,帮助企业对内部数据资产进行精细化管理,持续为业务赋能。
翻译:
Enterprise data classification and grading final level guide
The Cyberspace Administration of China released the Digital China Development Report (2022) in May this year, which showed that China’s data output reached 8.1ZB last year, a year-on-year increase of 22.7%, accounting for 10.5% of the global share, ranking second in the world. In April 2020, the CPC Central Committee and The State Council issued the Opinions on Building a more Perfect Market-oriented Allocation System and Mechanism of Factors, and “data” was written into the central document for the first time as a new production factor.
China became the first country in the world to establish data as a factor of production (at the national policy level). The security problems brought by massive data bring many risks to citizens’ personal rights and interests. The healthy development of industry and even national security. As data security rises to the level of national security and national strategy. The classification and classification of data has become a necessary topic for enterprise data security governance. This paper integrates and combs the relevant data of data classification and classification. And provides the promotion path of enterprise data classification and classification, hoping to provide reference for everyone.
Why do we need to do data classification
Meet legal compliance requirements
A number of laws in China have stipulated the requirements for data classification and classification. The Network Security Law issued in 2017 proposed that network operators should take security protection measures for data classification. And the Data Security Law issued in 2021 established a data security management system. 数字化转型网www.szhzxw.cn
Article 21 of the Data Security Law stipulates: “The State shall establish a classification and classification protection system for data in accordance with the importance of data in economic and social development and the extent of harm to national security, public interests or the legitimate rights and interests of individuals and organizations once it is tampered with, destroyed, leaked or illegally obtained or illegally used.” It is clear that the basis of data classification and classification is the importance of data and the harm degree when data security is damaged, and it is also proposed to strengthen the protection of important data and implement a more strict management system for core data.
The Regulations on Network Data Security Management (Draft for Comment) further clarifies that the state divides data into three levels, namely general data, important data and core data, and takes different protection measures for different levels of data. At the same time, the regulations also stipulate the key protection of personal information and important data. And the implementation of more stringent protection of core data.
In addition, Article 51 of the Personal Information Protection Act also requires the processors of personal information to conduct classified management of personal information, while the Personal Information Protection Act puts forward stricter requirements for sensitive personal information, with the purpose of implementing different levels of protection. Therefore, classification is a necessary part of data compliance. 数字化转型网www.szhzxw.cn
Reduce data security risks
After the data has been classified and graded, enterprises can scientifically and reasonably divide resources and support corresponding security risk control measures to protect data security and personal privacy while releasing the value of data resources.
By identifying important sensitive data within the organization, it can master the classification, classification, distribution of sensitive data assets and the use scenarios of various types of data. In turn, effective protective measures can be formulated to balance the contradiction between data flow to create value and data security, and reduce the security risks of enterprises to carry out business. Finally, we can realize the fine control of data assets, effectively monitor the dynamic flow of sensitive data, and make the data use and data sharing behavior “visible and controllable”.
Meet your own business needs
Data asset inventory is the basis of data governance. Improving data quality can help business departments, in the business scenarios involving data processing activities, formulate more reasonable strategies, improve business operation capabilities, provide accurate data services for organizations, and promote the sound and sustainable development of business. Moreover, the refined management of data assets will become the power point or breakthrough point of enterprise business optimization, and is also one of the competitiveness of enterprises.
What is data classification
According to the definition of “GB/T 38667-2020 Information Technology – Big Data – Data Classification Guide”, data classification is based on the attributes or characteristics of the data, according to certain principles and methods to distinguish and classify the data in order to better manage and use the data. There is no unique classification method for data classification, and a variety of different classification systems will be formed according to the management objectives, protection measures and classification dimensions of the enterprise. 数字化转型网www.szhzxw.cn
Data classification is the first step in data asset management. Whether it is cataloging and standardizing data assets, confirming and managing data, or providing data asset services, effective data classification is a top priority. Data classification is more considered from the business perspective or the direction of data management. Including industry dimension, business domain dimension, data source dimension, sharing dimension, data open dimension, etc. At the same time, according to these dimensions, the data with the same attributes or characteristics are classified according to certain principles and methods.
Data classification is to distinguish levels according to the importance and impact of data to ensure that data is protected at a level commensurate with its importance and impact. The affected objects are generally three types of objects, which are national security and social public interests, corporate interests (including business impact, financial impact, reputation impact), and user interests (user property, reputation, living condition, physiological and psychological impact).
Enterprises recommend that the highest impact level in the impact level be the significant sensitivity level of the data object. At the same time, the data rating can be upgraded or downgraded according to data changes. Such as data content changes, data convergence, and national or industry supervisor requirements. Data classification is essentially the classification of data sensitive dimensions.
At any time, the classification of data is inseparable from the classification of data.
Therefore, in the field of data security governance or data asset management, data classification and classification are put together, collectively referred to as data classification and classification.
At present, industries such as finance, industry, telecommunications, medical care and automobile have issued targeted data classification guidelines or technical specifications (government industry standards are mainly landmarks, but not listed).
Take the financial industry as an example, the data classification and classification methods in the financial field are mainly reflected in the Guidance on Financial Data Security Classification and Classification (JR/ T0197-2020) and the Guidance on Securities and Futures Industry Data Classification and Classification (JR/T0158-2018), in which the former divides the data into three categories: customer data, business data and operation and management data. Customer data is further divided into individual customers and unit customers. And business data is further subdivided according to different business lines. Business management data includes marketing services, operation management, technology management, and comprehensive management (staff, finance, administration, and institutional information), etc. (as shown in the following table). 数字化转型网www.szhzxw.cn
In particular, the classification of data does not have to be very complex. In fact, the best data classification practice is to divide the data into 3 to 5 levels according to the degree of sensitivity or the degree of impact, when enterprises use too complex or too arbitrary data classification methods, often make data management into more and more chaotic situation.
Principles and processes of data classification and classification
Enterprises generally follow the following principles in data classification and classification:
Scientific principle: Scientific and systematic classification should be carried out according to the multidimensional characteristics and logical correlation of data. And the classification rules are relatively stable and should not be changed frequently; 数字化转型网www.szhzxw.cn
Applicability principle: No meaningless categories or levels should be set, and the classification results should conform to the general cognition;
Principle of flexibility: Before collecting and sharing data, all departments should complete data classification and classification according to business requirements.
Strict principle for high: The data is graded according to the principle of high rather than low. For example, the data set contains data items of multiple levels. And the data set is graded according to the highest level of the data item.
Dynamic adjustment principle: The data classification level may change due to time changes, policy changes, security events, sensitivity changes in different business scenarios, or different industry rules. Therefore, it is necessary to periodically review and timely adjust the data classification and classification.
The principle of minimum impact: Classification and classification work should have as little impact as possible on the normal operation of the system. And should not affect the ongoing operation and normal service provision. 数字化转型网www.szhzxw.cn
Confidentiality principle: Strictly keep confidential the client’s information, process data and results during the implementation. Shall not be disclosed to any unit or individual without authorization. And shall not use this data for any behavior that infringes on the client’s information security.
The general process of enterprise data classification and classification is covered in many standard documents and is roughly similar. Such as determining data security project team, sorting out data assets, determining standards and principles, classifying data, delineating security levels. And formulating data security protection policies (specific implementation steps are shown in the following figure).
How to implement data classification and classification
The general process of enterprise data classification and classification has been mentioned above. And this section further expands the key content for the technical implementation part involved in the process.
Disk assets (data asset sorting)
Data assets are the basis of data classification and classification. During the classification and classification. The assets in the enterprise need to be sorted out and counted to form an asset list. Data classification and classification is a long-term process. And a clear asset list helps enterprises do a good job of classification and classification implementation planning.
The use of data asset security management platform can automatically carry out a dragnet inventory of the structured and unstructured data sources of the enterprise, draw a data asset map in the form of an asset catalog, intuitively and graphically describe the detailed information such as the distribution, quantity, size and ownership of data assets, and help enterprises to find out the data assets inside the organization.
Set standards (develop classification methods and strategies)
Before classifying and grading data, enterprises need to formulate classification and grading standards. At present, the state has promulgated the classification and grading standards for personal information GB/T 35273-2020 “Information Security Technology Personal Information Security Code”; At the same time, various industries and organizations have also launched implementation guidelines for data classification and classification, such as JR/T0158-2018 “Guidance on Classification and Classification of Securities and Futures Industry Data”, JR/ T0197-2020 “Guidance on Financial Data Security and Data Security Classification”, and YDT3813-2021 “Basic Telecommunications Enterprise Data Classification and Classification Method”. 数字化转型网www.szhzxw.cn
Enterprises can refer to the implementation guide of the above classification and classification. And formulate the classification and classification standards for enterprises based on their own business, management. And data protection requirements (the following figure takes the financial industry as an example).
Label (automatic tool identification and manual verification)
Labeling refers to labeling data assets by data classification and data classification. Enterprises can confirm the data classification and data classification of data assets through data content, data attributes, data sources, data context and other information.
The data asset security management platform has a rich built-in common data signature database and industry rule database. And supports automatic classification and classification of data through various technologies such as machine learning, RE, fingerprint, keyword, and data dictionary. Then through the manual verification process. The rules are fine-tuned according to the actual situation and needs of customers. Thereby fundamentally ensuring the correct rate of data marking. After the rules and configurations are saved. The subsequent new service data enters the system to realize fully automated classification, grading and marking. 数字化转型网www.szhzxw.cn
Do management and control (Formulate security protection strategies according to classification and classification results)
The data asset security management platform can help organizations comprehensively, deeply and systematically sort out the status quo of data assets within the organization, discover and locate sensitive data, automatically complete classification and classification, and form a data asset catalog, which helps users build a data security protection system and adopt different data security protection strategies for different categories and secret levels of data. At the same time, through the standardized API interface, the platform can output the classification and classification information of data assets, deeply linkage with data security technology tools (such as data encryption, data desensitization, watermarking, firewall, etc.), and formulate refined and targeted data security policy management and control on key business scenarios and nodes, so as to fully realize data protection. Prevent data leaks.
Concluding remarks
Data classification and classification is the basic link of enterprise data security governance. And is also an important means for enterprises to balance data protection and data circulation. By classifying sensitive data, data security is improved and compliance risks are reduced. Data classification hierarchies not only ensure that users with lower trust levels cannot access sensitive data to protect important data assets. But also avoid excessive and unnecessary security measures for less important data. Data classification and classification can also help improve the efficiency of enterprise operations. Data classification based on business can better meet the needs of business use and data asset management, help enterprises to carry out detailed management of internal data assets, and continue to empower business.
本文由数字化转型网(www.szhzxw.cn)转载而成,来源于国脉数据资产;编辑/翻译:数字化转型网宁檬树。
免责声明: 本网站(https://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
